Security contact incorrect

[quozl]

Reporting security issues through GitHub (such as via dependabot discovery) on this repository redirects to security@sugarlabs.org, which bounces.

Either;

• don't redirect to security@sugarlabs.org,
• point security@sugarlabs.org at specific people.

Thanks.

[pikurasa]

@chimosky what do you recommend?

[chimosky]

Creating a new alias - security@sugarlabs.org - can work, but the question is, who do we want to see these alerts?

systems@lists.sugarlabs.org comes to mind, but I'm skeptical as most people on the list don't manage our GH repos, but it does give visibility to the issue.

If anyone is fine with receiving and looking into these issues then we can create an alias and have it point at them.

[quozl]

systems@lists.sugarlabs.org is public, archived, using that would violate the conventions on privacy of disclosure.

https://lists.sugarlabs.org/archive/systems/

It should be an office-bearer of the organisation, or one of their delegates.

Also remember to consider not having a GitHub security contact, requiring all disclosures to be public or to office-bearers in private.

[chimosky]

systems@lists.sugarlabs.org is public, archived, using that would violate the conventions on privacy of disclosure.

https://lists.sugarlabs.org/archive/systems/

It should be an office-bearer of the organisation, or one of their delegates.

Also remember to consider not having a GitHub security contact, requiring all disclosures to be public or to office-bearers in private.

I agree, we can have someone on the board handle this.