I'd also recommend that you create a [email protected] for users to report any security issues they discover.
.. Owen On Thu, Jun 2, 2016 at 10:28 AM, Casey Stella <[email protected]> wrote: > Sorry, it's deleted now. We will be more careful in the future. > > Thanks for the vigilance, Larry. > > Casey > > On Thu, Jun 2, 2016 at 1:24 PM, larry mccay <[email protected]> wrote: > > > All - > > > > Please become familiar with of the Apache process for reporting, > > discussing, filing JIRAs and fixing security vulnerabilities [1]. > > > > METRON-198 has exposed more than we should in a public manner and the > > attached report should be removed. > > > > Details of any particular issues should only be discussed on a project's > > security or private list and it needs to also include the [email protected] > > list. > > > > Fixes need to be discussed and agreed upon on the private list and JIRAs > > filed to commit the fix should be vague and as general as possible - so > as > > not to disclose the details of the vulnerabilities and inform the > > development of exploits. > > > > Also, pay attention to the CVE related aspects of the process in the page > > referenced below. > > > > thanks, > > > > --larry > > > > 1. http://www.apache.org/security/committers.html > > >
