Is it possible to configure an issue tracker so that it is a "drop box", where anyone may file issues but issues are not publicly visible? That would be more convenient. Alternately, an email alias would be good. I think this multi-step process doesn't well align with how security and privacy researchers prefer to work.

Also not explained here: how the vulnerability will be reported to projects/vendors affected. Should that be spelled out? At the very least there needs to be a way for vendors to provide a point of contact to the chairs.

@othermaciej wrote:

Is it possible to configure an issue tracker so that it is a "drop box", where anyone may file issues but issues are not publicly visible? That would be more convenient.

I agree that would be more convenient. AFAICT it's not possible on GitHub.

Alternately, an email alias would be good.

That's a good idea. @wseltzer, is that something we could set up?

I think this multi-step process doesn't well align with how security and privacy researchers prefer to work.

Yeah, I agree. Do you think the text in https://github.com/privacycg/.github/blob/master/SECURITY.md is better?

Also not explained here: how the vulnerability will be reported to projects/vendors affected. Should that be spelled out? At the very least there needs to be a way for vendors to provide a point of contact to the chairs.

Good point. Thoughts, @TanviHacks & @erik-anderson?

An @w3 email would tend to come with an archive, but that could be set to team+chairs confidentiality

I agree with Maciej that we should make the reporting process as simple as possible. Vulnerabilities can be emailed to a w3 email address that is confidential and restricted. Chairs and/or w3c staff can then alert the appropriate spec editors and/or browser vendors vulnerable in some designated amount of time. We can also add some text about giving credit to the reporter when the issue is publicly disclosed.

Pointing to the SECURITY.md would be great. We should update that when we refine the process, e.g. a W3 email alias.