- From: John Haugeland <john.haugeland@kayako.com>
- Date: Tue, 18 Nov 2008 13:15:43 -0700
- To: <html-tidy@w3.org>
Received on Wednesday, 19 November 2008 08:16:18 UTC
We have become aware of a very serious XSS injection in HTML Tidy (several weeks late because securityfocus does not report defects to vendors, which is a significant problem of its own right.) I am prepared to provide a trivial patch to close it. What is the appropriate process for reporting security defects in private, to allow the patch cycle to close the problem without aggravating it?
Received on Wednesday, 19 November 2008 08:16:18 UTC