Discuss how we should address potential QGIS server security issues

[elpaso]

Discussing with Matthias about a potential issue in QGIS Server where an expression can be used to disclose information about the server environment we came into the situation where we cannot publicly discuss about the issue because we don't have a patch or a mitigation procedure yet.

This made me think that we should have a standard procedure about how we address these cases, I don't have a proposal but I think that maybe we could have a reserved way to communicate with a restricted group of developers (security team) and perhaps even a dedicated budget for this kind of issue.

I'm thinking at a budget because it may happen that the patch (like in this case) is not trivial.

I remember we discussed something related to security disclosure in the past, maybe I just forgot about it and we do already have an established procedure, I apologize if that's the case.

[alexbruy]

There were a disscussion while ago http://osgeo-org.1560.x6.nabble.com/QGIS-Developer-Reporting-security-related-issues-td5429789.html. Not sure if this what you are looking for.