Opened 9 years ago

Closed 9 years ago

#3884 closed task (fixed)

add me to security@

Reported by: ioerror Owned by: phobos
Priority: Medium Milestone:
Component: Company Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


I'd like to be added to the security@ alias

Child Tickets

Change History (4)

comment:1 Changed 9 years ago by arma

Component: - Select a componentCompany

comment:2 Changed 9 years ago by phobos

Status: newneeds_information

What is the goal for security@? We don't advertise it anywhere. I'm unclear what someone would mail to security@ vs. the already published infrastructure email torproject-admin. Perhaps the first question will answer the confusion.

comment:3 Changed 9 years ago by arma

I agree that we need a policy for what security@ is for. I remember in the original discussion that weasel said something like "it should only be for security mails". But the reality is that some people on the Internet believe there are a set of standard addresses that are always created (by convention) for domains and that have generally accepted purposes. Two examples are security@ and abuse@.

Where do we advertise torproject-admin? I don't see it on the contact page. I guess everybody here has different assumptions on how various classes of people who want to contact us will assume is the right way to contact us.

I think we would benefit from transparency on how things are handled now, what addresses exist, and how much (and what kind of) use they see. Andrew mentioned "nobody uses security@ so it must not matter!" yet if I understand correctly, mails to it have silently bounced for most of the time period he's thinking of.

I don't want to create yet another list that we encourage people to mail. I think we can learn from the lesson Microsoft learned here:
They have secure@ as their address for non-infrastructure things, and security@ is an autoresponder because of the number and variety of mails it gets.

So let me try an answer: security@ is for the people who think that's the canonical address that everybody knows to mail when you want to reach security-oriented people at a company. Such senders typically expect that the alias is a team of people who will quickly route the issues where they need to go.

Saying that those people ought to think the world works in a different way, and/or not getting their mails to the right people, isn't really a workable approach.

Once we sort out security@ I will want us to sort out abuse@.

comment:4 Changed 9 years ago by phobos

Resolution: fixed
Status: needs_informationclosed

I reject your reality and substitute my own. :)

security@ and abuse@ can point at tor-assistants then. I'd prefer to not create more lists that no one ever emails nor reads.

Note: See TracTickets for help on using tickets.