dask
Security policy and [email protected]
Hi Folks,
Currently it looks like our security policy points towards tidelift. See https://github.com/dask/community/security/policy
Alternatively, we could create a [email protected] alias and have some folks subscribed to it. I mention this mostly because I don't really know what TideLift does with this information, and because I think that there are a few people here who would be well suited to handle things (@jcrist @jacobtomlinson @quasiben others).
Thoughts? -matt
Thanks for bringing this up @mrocklin. From the conversation in https://github.com/dask/community/issues/88 I think anyone can also send security reports directly to [email protected] (cc @TomAugspurger). Though I agree that a name like [email protected] is more ascetically pleasing.
I'm not sure what value the TideLift procedure that https://github.com/dask/community/security/policy points to adds over directly e-mailing [email protected] or [email protected] though. Maybe it's that they offer optional GPG encryption? I could also be missing something else
Regardless, I'm curious to hear others thoughts on this topic. FWIW I'm generally okay updating https://github.com/dask/community/security/policy to something like "To report a security vulnerability to Dask, please e-mail [email protected]."
When there is a security report, someone from Tidelift emails the address we sent them. We discuss it, decide on how to address it, and they reply to the reporter.
I think tidelift is fine with any security policy, as long as there is one in place. But we would need to check their requirements.
Answering the question about what Tidelift does with the data. The privacy policy available is one of the better ones I've seen
- https://tidelift.com/about/privacy
