Bug 197312

Summary: Add ports-secteam@ to the instructions page for reporting security vulnerabilities
Product: Documentation Reporter: rsimmons0
Component: WebsiteAssignee: Jason Helfman <jgh>
Status: Closed FIXED    
Severity: Affects Only Me CC: bjk, jgh
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
add the ports-secteam@ address to the reporting instructions none

Description rsimmons0 2015-02-04 03:43:41 UTC 
Created attachment 152539 [details]
add the ports-secteam@ address to the reporting instructions

The ports-secteam@ address should be listed on the page for instructions about reporting security issues. Perhaps the team and its members should be added to the list of admin teams as well.

I've attached a patch to the page en_US.ISO8859-1/htdocs/security/reporting.xml

I'm not sure who the members of the team are, so I have not included an update to the following page:
https://www.freebsd.org/administration.html#t-secteam
Comment 1 Benjamin Kaduk freebsd_committer freebsd_triage 2015-02-04 17:24:37 UTC 
It's unclear to me that advertising the ports security team is useful until they have a published PGP key to use.  I am certainly not going to give advance notice of a vulnerability in software for which I am the upstream of a FreeBSD port via cleartext email!
Comment 2 rsimmons0 2015-02-04 17:33:06 UTC 
Please pardon my ignorance, but do the ports-secteam members not use the sec officer key, or is that restricted to the secteam only?

My original suggestion was based on the assumption that they do.
Comment 3 rsimmons0 2015-02-04 17:36:46 UTC 
My original suggestion was also based on an email conversation with secteam@ where I was pointed to the ports-secteam@ address as a better place to report ports security problems the next time I do. I was, however, following the directions on the en_US.ISO8859-1/htdocs/security/reporting.xml page on the website which at the moment has no mention of ports-secteam@.

My basis for the change in that page is to put the information that I received from secteam into the reporting instructions.

I totally agree with your hesitation based on cleartext email.
Comment 4 Benjamin Kaduk freebsd_committer freebsd_triage 2015-02-04 18:40:09 UTC 
(In reply to rsimmons0 from comment #2)

Well, I am not on either team so I cannot speak with complete certainty, but generally a PGP key has as part of it one or more uids, which correspond to email addresses.  PGP email software generally makes it hard to use a given key to encrypt mail to a given email address when that address is not a uid of the key.  So, I do not expect that the teams share the same key.
Comment 5 commit-hook freebsd_committer freebsd_triage 2015-03-26 02:17:33 UTC 
A commit references this bug:

Author: jgh
Date: Thu Mar 26 02:17:22 UTC 2015
New revision: 46381
URL: https://svnweb.freebsd.org/changeset/doc/46381

Log:
  - add reporting instructions to security page for ports collection issues

  PR:		197312 (based on)
  Differential Revision:	https://reviews.freebsd.org/D1904
  Submitted by:	rsimmons0@gmail.com
  Reviewed by:	bjk, wblock
  Approved by:	wblock (mentor)

Changes:
  head/en_US.ISO8859-1/htdocs/security/reporting.xml