Closed GoogleCodeExporter closed 8 years ago
From KevinWall: hasn't something like this come up before, say with the
AntiSamy projects? Why reinvent the wheel each time? I'm thinking perhaps
just one OWASP-announcements or OWASP-secalerts for *all* the
OWASP projects. This is bound to come up in other OWASP projects that
involve code even if it hasn't already. I think even if this
were done OWASP-wide, it would be low enough volume list that people
wouldn't mind. And while I can't speak for others, I personally would much
rather monitor a *single* mailing list than a half dozen. That's one reason
why sites such as Bugtraq and Secunia are successful.
Original comment by manico.james@gmail.com
on 26 Jan 2010 at 12:37
I would suggest that along with security patches that are announced that we
also put
out our best estimate of a figure using the Common Vulnerability Scoring
System. CVSS
v2 is becoming a de facto standard in vulnerability announcements. I think this
greatly helps people to decide how urgently they need to apply the patch. Also,
that
way we don't have to define our own ranking system.
Original comment by kevin.w.wall@gmail.com
on 28 Jan 2010 at 3:37
Do we have a place where we can get subscribed to ESAPI security alerts,
Critical
patches etc?
Original comment by sub...@gmail.com
on 6 May 2010 at 9:48
AFAIK, nothing decided yet. OWASP Leadership is still discussing it.
Original comment by kevin.w.wall@gmail.com
on 9 May 2010 at 2:31
This is just the right thing to do. There is no excuse for not making this
happen in sync with the ESAPI 2.0 release.
Original comment by manico.james@gmail.com
on 1 Nov 2010 at 1:24
Original comment by kevin.w.wall@gmail.com
on 12 Feb 2011 at 8:39
This is being handled at a OWASP level for all projects and will be done within
the month
Original comment by chris.sc...@owasp.org
on 23 Mar 2011 at 4:28
Original issue reported on code.google.com by
manico.james@gmail.com
on 25 Jan 2010 at 11:56