Opened 3 years ago

Closed 3 years ago

#22163 closed enhancement (fixed)

Make it more obvious how to report security related bugs

Reported by: gk Owned by: hiro
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords: website-content, ux-team
Cc: linda, mcs, Dbryrtfbcbhgf Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


We had a report about a bug reporter getting different (and partly) conflicting advice on how to report security sensitive bugs. The canonical way of doing so is mailing to tor-security@…. However, that seems to be not found easily. We should change that on our website.

Child Tickets

Change History (9)

comment:1 Changed 3 years ago by gk

Cc: linda added

Might be something for our website redesign to take into account, adding Linda.

comment:2 Changed 3 years ago by mcs

Cc: mcs added

comment:3 Changed 3 years ago by gk

Cc: Dbryrtfbcbhgf added

#22226 is a duplicate.

comment:4 Changed 3 years ago by linda

I'll keep this in mind.

comment:5 Changed 3 years ago by cypherpunks

#22412 is a duplicate.
That ticket is actually about reporting bad relays. So not a duplicate.

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:6 Changed 3 years ago by cypherpunks

Yes, this is still very much a problem. The "Contact" page on says to "email the respective maintainer", but who that person is isn't very clear. Putting the tor-security email address on the contact page is absolutely necessary IMO. I actually reported a (low-severity) security bug through Trac because I couldn't find the tor-security email address, so this is a mistake that people can make with more severe issues that shouldn't be publicly visible.

Hiro: Are you the maintainer for the webpages and blog? You're the default owner for newly reported webpage and blog bugs, so I'm assuming that's the case. Could you take a look at when you get a chance? Thanks in advance. Fixing this bug is probably higher-priority, though :)

comment:7 Changed 3 years ago by hiro

Keywords: website-content ux-team added

Is this something we should take into account in the re-design? It seems a small issue we could tackle right away, but not sure how that maps to ux-team roadmap.

comment:8 Changed 3 years ago by kat5

A fix that may address this was applied for (Document how to report security vulnerabilities).

There is now a mailing list for reporting security bugs. The address and gpg key are on the Contact page, as well as the mailing list wiki page.

Not sure if we want to close this ticket or keep it as a placeholder for the redesign.

comment:9 Changed 3 years ago by hiro

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.