Jordan Wiens wrote:
Sent this to roundcube@gmail.com, but never heard back. Since this is a public list, I've removed descriptions of the raw vulnerabilities. Would prefer to handle those privately unless explicitly told otherwise. Feel free to contact me via email or phone.
Hi Jordan,
I've received your message and it is still marked as unread. This is mostly because I didn't know exactly what to answer on your question but I'm glad to see that already discussed in the thread.
You are welcome to send vulnerability reports privately to me, Till and the other devs listed at http://trac.roundcube.net/trac.cgi/wiki/Dev_Members
Maybe the wiki page also allows you to decide which person should be involved regarding the responsibilities.
Regards, Thomas
List info: http://lists.roundcube.net/dev/