I think we need to form a security response team to be contacted for responsible disclosure. We could setup a shared email account and share a PGP keypair which we each sign with our own keys.
Note: This discussion was imported from Loomio. Click here to view the original discussion.
PGP for the paranoid so that they can send us encrypted mails and it doesn’t matter if the mailbox gets hijacked or the mail gets intercepted or whatever. Just common practice and can’t do harm So any suggestions where to get a mailbox?
@jonneha what about create an email on @diasporaproject.org when Sean will have access to it ? We certainly have an email server somewhere (with OVH, I have an email address with every domain name I have, maybe it’s the same here)
Max must know this person, or at least how to get in contact with them, otherwise they wouldn’t have pointed diasporafoundation.org to his site in the first place - surely?
They have both email and mailing lists. There are two ways to get an account, either by writing them a request and telling them who we are and why we want it, or by using invitation codes, and as both I and Paul do already have accounts for personal purposes we could generate invitation codes.
We now got full control over diasporafoundation.org, including a mail server listening to it, run by @dennisschubert. It’s time to make security@diasporafoundation.org reality. I’m going to generate and publish a PGP key for it, anybody who wants to be in the team can contact me and I’ll share the key with you, unless somebody knows a better method to get PGP working on that address.
I’ve not heard about security@diasporafoundation.org before, Jonne. What is it intended to be? I’d like to know to see if it’s something I could be a part of.