justinmclean opened a new issue, #176: URL: https://github.com/apache/airflow-steward/issues/176
## Summary The ASF `security_committers` policy (https://www.apache.org/security/committers.html) mandates that vulnerability announcements be sent to four destinations: > a. the same destinations as the release announcement > b. the vulnerability reporter > c. the project's security list (or [email protected]) > **d. [email protected] (subscription not required)** Currently `[email protected]` does not appear anywhere in the airflow-steward repository — not in any skill file, not in any canned-response template, not in any announcement checklist or docs page. This means the `security-issue-sync` skill can walk a release manager through the full advisory lifecycle (Steps 13–15) without ever prompting them to notify `oss-security`, silently skipping a mandatory ASF policy step. ## Required changes 1. Add `[email protected]` as an explicit recipient in the announcement draft template used at Step 13 (advisory send). 2. Add a verification checklist item before the `announced - emails sent` label is applied, confirming the `oss-security` post has been sent. 3. Consider adding a note in `docs/security/roles.md` under "Keeping the reporter informed" that `oss-security` is a required destination distinct from the reporter notification. ## Policy reference - https://www.apache.org/security/committers.html — "Announce" section, item (d) ## Notes If the Airflow security team has an approved deviation from the standard ASF announcement process (the policy allows this with prior approval from `[email protected]`), this issue can be closed with a note documenting that deviation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
