- Issue created by @drumm
- 🇺🇸United States greggles Denver, Colorado, USA
Spot check existing advisories to see how often people credited isn’t a simple list of Drupal.org accounts.
I believe it's extremely rare (maybe non existent) in the last 10 years for credit to be a link outside of Drupal.org
- 🇺🇸United States cmlara
From a technical standpoint:
As long as the Drupal CNA accepts email reports (see: https://www.cve.org/PartnerInformation/ListofPartners/partner/drupal) the system will in theory need to support non D.O. users. If the email submission is shutdown it might need to trigger a review of all D.O. account policies (Users banned by the CWG for example may still need to be permitted to open Security Reports and explicit exemptions from a number of site wide terms of services may be needed for security reporters).I believe it's extremely rare (maybe non existent) in the last 10 years for credit to be a link outside of Drupal.org
Flip side of that, how often does the Drupal Security team asked about how those working an issue want credit assigned?
We might have a case of 'process induced bias' here. I have worked a few security issues and never been asked how I want my credit attributed. Not saying I would change how I've been credited, however equally I'm not saying I would keep it either, since the choice has not been offered I have never considered it.
Tagging 📌 Create CVEs for contributed projects in 2024 Active as related since it is discussing using the content of the fields as authoritative data.
- 🇺🇸United States drumm NY, US
Email reports to security@drupal.org will be accepted indefinitely. There are no plans to change this.
For reports received by email, we do ask them to create an issue with a Drupal.org account. However, if an issue is valid and important to fix, we don’t let the process hold up working toward a fix. We can make the issue, start working on it, and ask if they have a Drupal.org account for collaboration on the issue. We do make it clear that to be credited on the security advisory, we do need a Drupal.org account.
Updating the organization you are credited with is doable, but does require admin access. We’re happy to update anything when asked.
- 🇺🇸United States drumm NY, US
The formatting does look very consistent, so we could convert this to more structured data. The exception I spotted was when we were doing combined advisories like https://www.drupal.org/sa-core-2018-001 → , but that is not too common. The structured data would still need (person, reported|fixed|coordinated, ”of the Drupal security team”); the last value could be a string and add the extra context.
That said, I think I’d like to keep the text field for now and add affordances for filling it out consistently. Converting to structured data would be more time-consuming buildout right now and a migration. That can be done later.
- 🇺🇸United States drumm NY, US
Advisories on www.drupal.org now allow filling reported/fixed/coordinated with a list of usernames. The Update button does the translation to HTML so it won’t update the HTML unless you proactively want to update it
Automatically closed - issue fixed for 2 weeks with no activity.