what is the protocol for discussing (potential) security vulnerabilities?
again, i said “potential” (so that everybody doesn’t get all out-of-whack over this).
some projects are hesitant to discuss such things in public forums (mailing lists, irc, message boards, etc), and rightfully so, but i rather discuss it with someone (familiar with the openfire codebase, unlike myself) first before sounding any potential false alarms.
i did a google search of “openfire security” and didn’t find anything relevant to project protocol on the first two pages of hits. i searched the issue tracker for “security”, specifically in openfire, but only saw a few that appeared to either be well known (recent jetty vulnerability) or non-disclosed (no details).
thanks for openfire!