Who should security issues be reported to?

[Paul Rubin]

"Fuzzyman" <fuzzyman at gmail.com> writes:
> The sourceforge bug tracker *is* the single right place to post such
> issues. The py-dev mailing list would be a second *useful* place to
> post such a comment, although not really the right place. The OP seemed
> to want an individual with whom he could have a private conversation
> about it.

I think he wanted a place to send a bug report that wouldn't be
exposed to public view until the developers had a chance to issue a
patch.  With bugzilla, for example, you can check a bug labelled "this
is a security bug, keep it confidential".  There's lots of dilemmas
and some controversy about keeping any bug reports confidential in an
open source system.  But the general strategy selected by Mozilla
after much debate seems to mostly work ok.  It basically says develop
a patch quickly, keep the bug confidential while the patch is being
developed, and once the patch is available, notify distro maintainers
to install it, and then after a short delay (like a couple days),
publish the bug.

Note that anyone with access to the bug (that includes the reporter
and selected developers) can uncheck the box at any time, if they
think the bug no longer needs to be confidential.  The bug then
becomes visible to the public.