docs: reports via email are no longer accepted#46
docs: reports via email are no longer accepted#46UlisesGascon wants to merge 1 commit intomasterfrom
Conversation
Updated the security reporting process to clarify that reports via email are no longer accepted and to specify using the Express repository.
ctcpip
left a comment
There was a problem hiding this comment.
It sucks that the email route involves spam and additional overhead, but disallowing email reporting will have real consequences aside from reducing spam and overhead. Like, not getting reports at all, or getting them in less desirable, perhaps public, ways.
Some researchers don't use GH, and sometimes they can't. (Anonymity, corporate policy, etc.)
This is also called out in OpenSSF guidance:
The vulnerability reporter is doing you a favor; don't add more steps than absolutely necessary. In the spirit of this balance, our recommendation is that using email for intake is okay, and should at least be provided as an alternative.
Is there something we could do to improve the email reporting route? Such as use an email system that is better at dealing with spam?
Main Changes
Updated the security reporting process to clarify that reports via email are no longer accepted and to specify using the Express repository.
Motivation
Given the amount of spam and the additional work that requires to monitor and process reports via email... IMO it is time to close that door and limit the reports to GitHub Advisories.