While we're on the topic, what is the policy for things such as https://scan.coverity.com/ ? Would it be acceptable to use the "Only project summary is available to all users" project access? This has been brought up in a separate thread. Thanks,
Jon On Thu, Jun 2, 2016 at 1:30 PM Owen O'Malley <[email protected]> wrote: > I'd also recommend that you create a [email protected] > for users to report any security issues they discover. > > .. Owen > > On Thu, Jun 2, 2016 at 10:28 AM, Casey Stella <[email protected]> wrote: > > > Sorry, it's deleted now. We will be more careful in the future. > > > > Thanks for the vigilance, Larry. > > > > Casey > > > > On Thu, Jun 2, 2016 at 1:24 PM, larry mccay <[email protected]> wrote: > > > > > All - > > > > > > Please become familiar with of the Apache process for reporting, > > > discussing, filing JIRAs and fixing security vulnerabilities [1]. > > > > > > METRON-198 has exposed more than we should in a public manner and the > > > attached report should be removed. > > > > > > Details of any particular issues should only be discussed on a > project's > > > security or private list and it needs to also include the [email protected] > > > list. > > > > > > Fixes need to be discussed and agreed upon on the private list and > JIRAs > > > filed to commit the fix should be vague and as general as possible - so > > as > > > not to disclose the details of the vulnerabilities and inform the > > > development of exploits. > > > > > > Also, pay attention to the CVE related aspects of the process in the > page > > > referenced below. > > > > > > thanks, > > > > > > --larry > > > > > > 1. http://www.apache.org/security/committers.html > > > > > > -- Jon
