Congrats to all the new core team members! I'm sure you have a lot of governance items to consider and this is on your list already, but Salvatore suggested I open an issue to discuss this:
When there was only a single contact point for Redis there were a few informal security policies in place. Previously, responsible disclosure for Redis security bugs looked something like this:
- Contact antirez directly
- Patch is prepared by reporter or maintainer
- Limited disclosure with timeline to vendors (decrease potential blast radius)
- Public disclosure
Regarding item 3, the company I work for runs RedisGreen. We were on Salvatore's vendor list and I'd like to make sure that continues for the rare security issues that require such treatment. There are several other long-running hosting providers that should also be involved.
Of course item 1 will need to be updated with a mailing list or security contact from the core team, and all of this should probably go in the README or a SECURITY doc.
I'd be happy to draft a proposal but wanted to open the question first since this is the business of the core team.
Comment From: itamarhaber
Hello @bpo
Thanks for putting this out here - it needs to be addressed sooner rather than later. WRT to 1., we'll be setting up the redis@redis.io email alias for direct and discreet contact with the core team. I feel that the same process can be retained, and we'll ask Salvatore for the current list so it can be maintained.
I'd also like to have this procedure formalized in the repo, and possibly in the docs as well. Your assistance in this matter, and future ones, is more than welcome and a draft would be great.
Comment From: bpo
a draft would be great.
Sounds good, I'll put something together before next week. Thanks for the quick follow-up!
Comment From: oranagra
vendor list obtained from Salvatore. Thanks for bringing this to our attention.