[tor-bugs] #3884 [Company]: add me to security@

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Sep 27 19:39:23 UTC 2011 

#3884: add me to security@
---------------------+------------------------------------------------------
 Reporter:  ioerror  |          Owner:  phobos           
     Type:  task     |         Status:  needs_information
 Priority:  normal   |      Milestone:                   
Component:  Company  |        Version:                   
 Keywords:           |         Parent:                   
   Points:           |   Actualpoints:                   
---------------------+------------------------------------------------------

Comment(by arma):

 I agree that we need a policy for what security@ is for. I remember in the
 original discussion that weasel said something like "it should only be for
 torproject.org-infrastructure security mails". But the reality is that
 some people on the Internet believe there are a set of standard addresses
 that are always created (by convention) for domains and that have
 generally accepted purposes. Two examples are security@ and abuse at .

 Where do we advertise torproject-admin? I don't see it on the contact
 page. I guess everybody here has different assumptions on how various
 classes of people who want to contact us will assume is the right way to
 contact us.

 I think we would benefit from transparency on how things are handled now,
 what addresses exist, and how much (and what kind of) use they see. Andrew
 mentioned "nobody uses security@ so it must not matter!" yet if I
 understand correctly, mails to it have silently bounced for most of the
 time period he's thinking of.

 I don't want to create yet another list that we encourage people to mail.
 I think we can learn from the lesson Microsoft learned here:
 http://blogs.technet.com/b/msrc/archive/2006/01/18/417697.aspx
 They have secure@ as their address for non-infrastructure things, and
 security@ is an autoresponder because of the number and variety of mails
 it gets.

 So let me try an answer: security@ is for the people who think that's the
 canonical address that everybody knows to mail when you want to reach
 security-oriented people at a company. Such senders typically expect that
 the alias is a team of people who will quickly route the issues where they
 need to go.

 Saying that those people ought to think the world works in a different
 way, and/or not getting their mails to the right people, isn't really a
 workable approach.

 Once we sort out security@ I will want us to sort out abuse at .

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3884#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list