[
https://issues.apache.org/jira/browse/APEXCORE-318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15122346#comment-15122346
]
Pramod Immaneni commented on APEXCORE-318:
------------------------------------------
Chris if we follow a similar model like hadoop of using a separate email list
is it ok to ask infra for an email list like [email protected] (without
using incubator) or should we wait till the last possible moment before
becoming top level to request this.
Secondly since the nature of the groups like these would be to not announce
issues to the public until the vulnerabilities are fixed, is it right to assume
that the membership to this group is selective and may not be every committer.
Also how do groups like these track issues before the vulnerabilities are
fixed, can JIRA still be used without making the information public for these
till the fix.
> Document security vulnerability process
> ---------------------------------------
>
> Key: APEXCORE-318
> URL: https://issues.apache.org/jira/browse/APEXCORE-318
> Project: Apache Apex Core
> Issue Type: Task
> Reporter: Chris Nauroth
> Assignee: Pramod Immaneni
> Labels: tlp
>
> QU30
> The project provides a well-documented channel to report security issues,
> along with a documented way of responding to them.
> I couldn't find a security vulnerability process documented at
> apex.incubator.apache.org. Example:
> http://hadoop.apache.org/mailing_lists.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
