I'd be happy to help out. Limiting distribution of vulnerabilities to the PMC would pose a problem for me, however. I'm also unsure that limiting distribution of vulnerabilities is a good idea at this point: 1) the exposure is low and 2) better to keep all involved/aware rather than a limited few...
--kevan
On 11/18/05, Aaron Mulder <[EMAIL PROTECTED]> wrote:
All,
I'd really like to have a group of interested and available people to
review security-related changes to Geronimo. And by this I mean,
features dealing with SSL, security realms, storing files with
passwords, showing passwords in the console, establishing procedures
for "locking down the server", reviewing vulnerability reports, etc.
I don't really mean nitty gritty details of JACC or conducting a
comprehensive security audit of the entire codebase.
What would people think of that, and are there any volunteers?
I should also note that I expect some vulnerabilities to be reported
to the PMC rather than to the public list, but I think a lot can be
done outside the PMC as well (or maybe I should exclude reviewing
vulnerability reports from what I'm talking about, I don't know if
there's a policy there).
Thanks,
Aaron
