Shachar Shemesh <psql(at)shemesh(dot)biz> writes:
> Also, if we want greater flexibility in handling these cases in the future, we
> should set up an invite-only list for reporting security bugs, and advertise it
> on the web site as the place to report security issues. Had this vulnerability
> been reported there, we could reasonably hold on without releasing a fix until
> 7.4.3 was ready.
A lot of people would be unhappy with that approach. A) they don't know the
people on the invite-only list and have no basis to trust them and B) Often
when a white hat reports the problem the black hats have known about it for
much longer already.
--
greg