Closed RandyMcMillan closed 2 years ago
open to suggestions - i just wanted to post something to prompt discussion.
Honestly we could just drop the email alias on the website and put it on Github only, then link more strongly to the github on the contact page?
Agree, hopefully that would solve the spamming issue, assuming those who would see it on Github won't still email it for support.
Alternatively, if dropping the email alias from the site is too destructive a change, the security disclosure bit could be left the way it currently is on the site (small and easy to miss). The stack exchange can be left in bold, as someone desperately seeking help would likely be in a rush for answers and the large community support message in this PR would catch their attention first (which is good). However, seeing another large message for security disclosure might cause them to consider that as an option for getting support as well (even despite the "not for support" message, people are just funny like that).
Regardless, I'd prefer just dropping it from the site and moving it to Github only as suggested above.
@TheBlueMatt
Honestly we could just drop the email alias on the website and put it on Github only, then link more strongly to the github on the contact page?
I'm happy to merge any changes wanted by the people on the list, but if moving the disclosure information to a different URL is something you think would work, we could just move it to a different page on the site.
Oops, to clarify, I’m not advocating moving security disclosure to GitHub issues, I’m suggesting that the only mention of the security disclosure alias be on GitHub issue default text or other similar. It’s just an idea and I’m not on that alias anymore so I can’t speak for anyone :).
On Aug 23, 2021, at 06:15, David A. Harding @.***> wrote:
@TheBlueMatt
Honestly we could just drop the email alias on the website and put it on Github only, then link more strongly to the github on the contact page?
I'm happy to merge any changes wanted by the people on the list, but if moving the disclosure information to a different URL is something you think would work, we could just move it to a different page on the site.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
Concept ACK. Thank you for working on this. I think this is a good solution to further discourage use of the alias for technical support, that it's only for reporting security issues.
Alternatively, if dropping the email alias from the site is too destructive a change, the security disclosure bit could be left the way it currently is on the site (small and easy to miss).
Agree, no need to make the "responsible disclosure" part big. People who find security issues tend to be good at finding semi-hidden links too :smile:
0aeee59
ee2884d
1a12a84
197d098
dea9847
Here are a few variations to cherry-pick from...
Tested ACK dea98475b78ea9fa115bc81634218e9876115adf . I think the current commit tip is one of the better options, and there's no need to delay this further---we can always tweak things again later.
Thanks @RandyMcMillan for working on this and for providing multiple options!