| blob | 5c1d88c77503722dd29dfa06f254735d3a4c7790 |
4 <head>
13 </head>
15 <body>
20 <p>If you discover a security vulnerability in Subversion, please
21 email:</p>
23 <!-- See http://www.cdt.org/speech/spam/030319spamreport.shtml for
24 evidence that this has some effect. -->
25 <blockquote>
26 <p><strong>s<span>ecu</span>rit<span>y@subve</span>rsio<span>n</span>.tigris.org</strong></p>
27 </blockquote>
29 <p>It is safe to send sensitive reports to this address. List
30 membership is controlled, and the archives are not publicly
31 accessible. We will analyze your report and take appropriate action.
32 Our usual procedure is to</p>
34 <ol>
37 <li>Discreetly distribute the fix to a few large sites that run
38 Subversion servers and are trusted to be discreet themselves.</li>
40 <li>Release a new version of Subversion (containing just that fix)
41 and publicly announce the vulnerability on the same day.</li>
42 </ol>
44 <p>This procedure may vary depending on the nature of the
45 vulnerability and the degree of pre-existing public awareness, of
46 course.</p>
49 address on other web pages or in public postings.</i></span> Due to
50 the need for responsiveness, the security list is unmoderated, which
51 makes it particularly vulnerable to spammers. Furthermore, we cannot
52 easily change its address, even if the list were to start receiving
53 spam, because it's too important to have a consistent, dependable
54 place to report security holes.</p>
56 <p>On this page, the address has been encoded in various ways to
57 reduce the likelihood of a spam harvester noticing it. But if the
58 address starts appearing in other places on the Internet, then the
59 harvesters will inevitably pick it up, and we'll be stuck wading
60 through ever-increasing amounts of spam, trying not to lose important
61 vulnerability reports in the noise.</p>
63 </div>
64 </body>
65 </html>