Subject: libssh2 security

libssh2 security

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 20 Aug 2016 17:41:45 +0200 (CEST)

Hi friends,

One of the remaining steps to make us reach 100% "CII best practices", is to
make sure we document how we deal with security problems and provide a way for
users to report such problems without immediately disclosing them to the
public.

I've written a suggested "security process" for how to handle these sort of
problems and I've set up an email alias (libssh2-security_at_haxx.se) with a
closed list of receivers to which suspected vulerabilities can be reported.

The process is my *suggested* approach and I'm interested in feedback and
comments to make sure we all agree on it. It is right now already easily
browsable here:

   https://github.com/libssh2/libssh2/blob/master/docs/SECURITY.md

There should be very few surprises in that. It is basically the same document
I've used in the curl project for many years. I stole it from there with
permission since I wrote the original =)

I'll make it viewable from the web site too in a day or two, depending on the
feedback here.

-- 
  / daniel.haxx.se
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2016-08-20