justinmclean opened a new issue, #182: URL: https://github.com/apache/airflow-steward/issues/182
## Summary The ASF `security_committers` policy (https://www.apache.org/security/committers.html) states: > The project team agrees on the fix, the announcement, and the release schedule > with the reporter. If the reporter is unresponsive in a reasonable timeframe > this should not block the project team from moving to the next steps, > particularly if an issue is of high severity or impact. The `security-issue-sync` skill tracks the reporter mail thread in detail but has no time-based escalation. If a reporter goes silent after the initial report, nothing in the framework prompts the security team to proceed without them. The team must notice the staleness manually by reading the thread dates themselves, and there is no proposal item that says "reporter has been silent for N days — proceed?". A grep across the entire repo for "unresponsive", "reasonable timeframe", and "proceed without" returns zero matches in any skill, process doc, or roles doc. ## Required changes In `security-issue-sync` Step 1c, after reading the reporter thread, add a staleness check: if the last outbound message from the security team to the reporter is older than a configurable threshold (suggested default: 14 days) and no reply from the reporter has landed since, surface an explicit numbered proposal item in Step 2b: > "Reporter has not replied in N days — propose proceeding with fix and > announcement without further reporter sign-off, per ASF policy." Add a config key to `projects/_template/project.md` (e.g. `reporter_response_timeout_days`, default 14) so adopters can tune the threshold to their own norms. Add a corresponding note to `docs/security/process.md` and `docs/security/roles.md` documenting that reporter unresponsiveness does not block the process and pointing to the configurable threshold. ## Policy reference - https://www.apache.org/security/committers.html — step 11 under "Resolve" -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
