s/vendor-sec/distros@openwall/

rails · Jul 15, 2015 · 229597d · 229597d
1 parent 6bc9b66
commit 229597d
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/security/index.html b/security/index.html
@@ -144,7 +144,8 @@ <h2>Disclosure Policy</h2>
     	</ol>
 
     	<p>
-        Typically the embargo date will be set 72 hours from the time vendor-sec
+        Typically the embargo date will be set 72 hours from the time
+        <a href="http://oss-security.openwall.org/wiki/mailing-lists/distros">distros@openwall</a>
         is first notified, however this may vary depending on the severity of the bug
         or difficulty in applying a fix.
       </p>
@@ -169,11 +170,14 @@ <h2>Receiving Security Updates</h2>
         mailing list</a>. The mailing list is <strong>very</strong> low traffic, and
         it receives the public notifications the moment the embargo is lifted. If you
         produce packages of Ruby on Rails and require prior notification of vulnerabilities,
-        you should be subscribed to vendor-sec.
+        you should be subscribed to
+        <a href="http://oss-security.openwall.org/wiki/mailing-lists/distros">distros@openwall</a>.
       </p>
 
     	<p>
-        No one outside the core team, the initial reporter or vendor-sec will be notified
+        No one outside the core team, the initial reporter or
+        <a href="http://oss-security.openwall.org/wiki/mailing-lists/distros">distros@openwall</a>
+        will be notified
         prior to the lifting of the embargo. We regret that we cannot make exceptions to
         this policy for high traffic or important sites, as any disclosure beyond the
         minimum required to coordinate a fix could cause an early leak of the vulnerability.