This policy describes the policy concerning handling of security related issues in projects hosted on www.openoces.org.
Potential security issues that people wish to bring to the attention of the OpenOces core development team, should be addressed to security@openoces.org. We ask people not to disclose the information elsewhere. If the issue can be verified as being a security issue, a security announcement will be released with due credit to the reporter.
All security announcements are published here and posted on the mailing-list announce-general@openoces.org.
We recommend that all individuals using OpenOces projects in production environments subscribe to the mailing list announce-general@openoces.org.
People wanting to join the mailing list security@openoces.org are encouraged to send a motivated request to security@openoces.org. Applications will be evaluated on a case by case basis by the current members. The main criteria is the extent to which someone can be helpful in executing the security policy as described here. That includes a willingness not to disclose issues prematurely
| Date | Description | Link |
|---|---|---|
| 2005-02-18 | OpenSign uses the potentially flawed sha-1 function | link |