> > This roughly reverts the httpd process to what we used prior to adopting > > the Tomcat-esque policy for the whole ASF. We would have to document > > this and possibly need it approved by the ASF security team. > > Not sure if we need to have it approved, but at least we should discuss with > the ASF security team.
https://s.apache.org/cveprocess allows projects to deviate from the default policy with "review" from the ASF security team. So once you have agreement have the PMC present the proposed policy. This is not an uncommon plan, outside of ASF projects such as OpenSSL have similar policies where lower severity issues (low/moderate) are committed as security fixes prior to and independently of releases. Dealing with security issues in private is a pain in both the process and getting the right fix with limited reviewers. It's worth that pain when the issue is an actual risk to users, less so for the low risk issues. Mark