Roman, I wanted to separate out this thread to further discuss the feedback you gave. Could you please expand a bit on what wiki recommendations we should have in place. We are more extensively documenting our release policy so we can transparently execute a patch at the drop of a hat.
Ed > *QU30: The project provides a well-documented channel to report security > issues, along with a documented way of responding to them.* > > Currently we just link to: http://www.apache.org/security/ Are we able to > do as other projects at http://www.apache.org/security/projects.html or is > a private channel not something we can set up till we're out of > incubation. If we can move forwarde, I'd suggest we have a security page > on our site, document and fix known vulnerabilities and then provide clear > instruction on reporting vulnerabilities to a private channel like > secur...@fineract.incubator..apache.org This is less about security@fineract vs. http://www.apache.org/security/ and more about the community being ready for when the first 0 day hits either of those. Being ready is a combination of tribal knowledge, wiki recommendations and a release policy that would allow you to patch at a drop of a hat. -- *Ed Cable* Director of Community Programs, Mifos Initiative edca...@mifos.org | Skype: edcable | Mobile: +1.484.477.8649 *Collectively Creating a World of 3 Billion Maries | *http://mifos.org <http://facebook.com/mifos> <http://www.twitter.com/mifos>
