Make it more obvious how to report security related bugs

We had a report about a bug reporter getting different (and partly) conflicting advice on how to report security sensitive bugs. The canonical way of doing so is mailing to tor-security@lists.torproject.org. However, that seems to be not found easily. We should change that on our website.

added component::webpages/website owner::hiro priority::medium resolution::fixed severity::normal status::closed type::enhancement ux-team website-content labels

Might be something for our website redesign to take into account, adding Linda.

Trac:
Cc: N/A to linda

Trac:
Cc: linda to linda, mcs

#22226 (moved) is a duplicate.

Trac:
Cc: linda, mcs to linda, mcs, Dbryrtfbcbhgf

I'll keep this in mind.

#22412 (moved) is a duplicate. That ticket is actually about reporting bad relays. So not a duplicate.

Yes, this is still very much a problem. The "Contact" page on www.torproject.org says to "email the respective maintainer", but who that person is isn't very clear. Putting the tor-security email address on the contact page is absolutely necessary IMO. I actually reported a (low-severity) security bug through Trac because I couldn't find the tor-security email address, so this is a mistake that people can make with more severe issues that shouldn't be publicly visible.

Hiro: Are you the maintainer for the webpages and blog? You're the default owner for newly reported webpage and blog bugs, so I'm assuming that's the case. Could you take a look at https://trac.torproject.org/projects/tor/ticket/22947 when you get a chance? Thanks in advance. Fixing this bug is probably higher-priority, though :)

Is this something we should take into account in the re-design? It seems a small issue we could tackle right away, but not sure how that maps to ux-team roadmap.

Trac:
Keywords: N/A deleted, ux-team, website-content added

A fix that may address this was applied for https://trac.torproject.org/projects/tor/ticket/9186 (Document how to report security vulnerabilities).

There is now a mailing list for reporting security bugs. The address and gpg key are on the Contact page, as well as the mailing list wiki page.

Not sure if we want to close this ticket or keep it as a placeholder for the redesign.

Trac:
Status: new to closed
Resolution: N/A to fixed

closed

mentioned in issue #22226 (moved)

mentioned in issue #22412 (moved)

moved to tpo/web/trac#22163 (closed)