[TYPO3-core] RFC: Hint about security incident handling in EM
Michael Stucki
michael at typo3.org
Fri Sep 1 23:54:09 CEST 2006
Hi Karsten,
> Type: featurette :)
> Branches: trunk, TYPO3_4_0
A good one!
> After talking to Michael Hirdes earlier today about the
> XSS-tipafriend-publicity issue we decided to point to the security team
> more offensive.
>
> Michael will add notices on typo3.org where it fits and I prepared a
> little patch for the EM that points to the security team page in the EM
> when installing or importing extensions. The patch is against trunk, but
> there should be no differences to TYPO3_4_0.
Good idea! Btw, it applies fine for TYPO3_4-0...
> Please have a look and give suggestions on wording, look, location, ...
The notice reads like this:
"I think I found a security problem. What should I do?"
Though this may be a stupid idea, some users might be confused because they
think that the server is speaking this to the client. Don't you think? ;-)
Alternative suggestion:
"Found a security problem? Please get in touch with us!"
I would also say that it is enough to get in touch with the security team
only. We can still take care of getting in touch with the extension author.
Last but not least, I suggest to remove the mailto-URL and refer to the team
site instead (because we will hopefully re-enable the form to report issues
soon...): http://typo3.org/teams/security/
Complete suggestion:
Found a security problem? Please get in touch with us!
If you think you have found a security issue in TYPO3 or an extension,
please contact the TYPO3 security team! Thank you!
- michael
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-team-core
mailing list