List security contacts

We still don't have a security@ alias; listing personal emails is
unfortunately the next-best thing.

diff --git a/doc/bugs.mdwn b/doc/bugs.mdwn
index f16a4f8e111d6078360d6342f471ad09f92c9539..86df60408dd186cfc063ba9228e4a450cd7b71f0 100644 (file)
--- a/doc/bugs.mdwn
+++ b/doc/bugs.mdwn
@@ -3,6 +3,10 @@ elsewhere. Link items to [[bugs/done]] when done.
 
 Also see the [Debian bugs](http://bugs.debian.org/ikiwiki).
 
+If you are reporting a security vulnerability, please email the maintainers
+privately, instead of making it public by listing it here. See [[security]]
+for contact details.
+
 There are [[!pagecount pages="bugs/* and !bugs/done and !bugs/discussion and 
 !link(patch) and !link(bugs/done) and !bugs/*/*"
 feedpages="created_after(bugs/no_commit_mails_for_new_pages)"]] "open" bugs:

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 6d68fac00622c0f3e52d465f5c060326886a01d8..e4851ecf5c25ae4f03bd42c71b8d98e840da9559 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -1,11 +1,16 @@
-Let's do an ikiwiki security analysis.
-
 If you are using ikiwiki to render pages that only you can edit, do not
 generate any wrappers, and do not use the cgi, then there are no more
 security issues with this program than with cat(1). If, however, you let
 others edit pages in your wiki, then some possible security issues do need
 to be kept in mind.
 
+If you find a new security vulnerability, please email the maintainers
+privately instead of listing it in a public bug tracker, so that we can
+arrange for coordinated disclosure when a fix is available. The maintainers
+are [[Joey Hess|joey]] (<joey@kitenet.net>),
+[[Simon McVittie|smcv]] (<smcv@debian.org>)
+and [[Amitai Schleier|schmonz]] (`schmonz-web-ikiwiki schmonz com`).
+
 [[!toc levels=2]]
 
 ----