www/security.html - subversion - Git at Google

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <style type="text/css"> /* <![CDATA[ */
   @import "branding/css/tigris.css";
   @import "branding/css/inst.css";
   /* ]]> */</style>
 <link rel="stylesheet" type="text/css" media="print"
   href="branding/css/print.css"/>
 <script type="text/javascript" src="branding/scripts/tigris.js"></script>
 <title>Subversion Security</title>
 </head>

 <body>
 <div class="app">

 <h2>Subversion Security</h2>

 <p>If you discover a security vulnerability in Subversion, please
 email:</p>

 <!-- See http://www.cdt.org/speech/spam/030319spamreport.shtml for
      evidence that this has some effect. -->
 <blockquote>
 <p><strong>&#115;<span>&#101;&#099;&#117;</span>&#114;&#105;&#116;<span>&#121;&#064;&#115;&#117;&#098;&#118;&#101;</span>&#114;&#115;&#105;&#111;<span>&#110;</span>&#046;&#116;&#105;&#103;&#114;&#105;&#115;&#046;&#111;&#114;&#103;</strong></p>
 </blockquote>

 <p>It is safe to send sensitive reports to this address.  List
 membership is controlled, and the archives are not publicly
 accessible.  We will analyze your report and take appropriate action.
 Our usual procedure is to</p>

 <ol>
    <li>Make a fix for the vulnerability.</li>

    <li>Discreetly distribute the fix to a few large sites that run
    Subversion servers and are trusted to be discreet themselves.</li>

    <li>Release a new version of Subversion (containing just that fix)
    and publicly announce the vulnerability on the same day.</li>
 </ol>

 <p>This procedure may vary depending on the nature of the
 vulnerability and the degree of pre-existing public awareness, of
 course.</p>

 <p><span style="color: red"><i>Please do not reproduce the above email
 address on other web pages or in public postings.</i></span> Due to
 the need for responsiveness, the security list is unmoderated, which
 makes it particularly vulnerable to spammers.  Furthermore, we cannot
 easily change its address, even if the list were to start receiving
 spam, because it's too important to have a consistent, dependable
 place to report security holes.</p>

 <p>On this page, the address has been encoded in various ways to
 reduce the likelihood of a spam harvester noticing it.  But if the
 address starts appearing in other places on the Internet, then the
 harvesters will inevitably pick it up, and we'll be stuck wading
 through ever-increasing amounts of spam, trying not to lose important
 vulnerability reports in the noise.</p>

 </div>
 </body>
 </html>
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
	<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	<style type="text/css"> /* <![CDATA[ */
	@import "branding/css/tigris.css";
	@import "branding/css/inst.css";
	/* ]]> */</style>
	<link rel="stylesheet" type="text/css" media="print"
	href="branding/css/print.css"/>
	<script type="text/javascript" src="branding/scripts/tigris.js"></script>
	<title>Subversion Security</title>
	</head>

	<body>
	<div class="app">

	<h2>Subversion Security</h2>

	<p>If you discover a security vulnerability in Subversion, please
	email:</p>

	<!-- See http://www.cdt.org/speech/spam/030319spamreport.shtml for
	evidence that this has some effect. -->
	<blockquote>
	<p><strong>s<span>ecu</span>rit<span>y@subve</span>rsio<span>n</span>.tigris.org</strong></p>
	</blockquote>

	<p>It is safe to send sensitive reports to this address. List
	membership is controlled, and the archives are not publicly
	accessible. We will analyze your report and take appropriate action.
	Our usual procedure is to</p>

	<ol>
	<li>Make a fix for the vulnerability.</li>

	<li>Discreetly distribute the fix to a few large sites that run
	Subversion servers and are trusted to be discreet themselves.</li>

	<li>Release a new version of Subversion (containing just that fix)
	and publicly announce the vulnerability on the same day.</li>
	</ol>

	<p>This procedure may vary depending on the nature of the
	vulnerability and the degree of pre-existing public awareness, of
	course.</p>

	<p><span style="color: red"><i>Please do not reproduce the above email
	address on other web pages or in public postings.</i></span> Due to
	the need for responsiveness, the security list is unmoderated, which
	makes it particularly vulnerable to spammers. Furthermore, we cannot
	easily change its address, even if the list were to start receiving
	spam, because it's too important to have a consistent, dependable
	place to report security holes.</p>

	<p>On this page, the address has been encoded in various ways to
	reduce the likelihood of a spam harvester noticing it. But if the
	address starts appearing in other places on the Internet, then the
	harvesters will inevitably pick it up, and we'll be stuck wading
	through ever-increasing amounts of spam, trying not to lose important
	vulnerability reports in the noise.</p>

	</div>
	</body>
	</html>