I filed a infra ticket for this: https://issues.apache.org/jira/browse/INFRA-12071
On Thu, Jun 9, 2016 at 9:43 AM, Michael Miklavcic < [email protected]> wrote: > Hi all, > > Motion to create a [email protected] mailing list ( > http://apache.org/dev/committers.html#mail) > > Best, > Michael Miklavcic > > > On Thu, Jun 2, 2016 at 1:30 PM, Owen O'Malley <[email protected]> wrote: > > > I'd also recommend that you create a > [email protected] > > for users to report any security issues they discover. > > > > .. Owen > > > > On Thu, Jun 2, 2016 at 10:28 AM, Casey Stella <[email protected]> > wrote: > > > > > Sorry, it's deleted now. We will be more careful in the future. > > > > > > Thanks for the vigilance, Larry. > > > > > > Casey > > > > > > On Thu, Jun 2, 2016 at 1:24 PM, larry mccay <[email protected]> wrote: > > > > > > > All - > > > > > > > > Please become familiar with of the Apache process for reporting, > > > > discussing, filing JIRAs and fixing security vulnerabilities [1]. > > > > > > > > METRON-198 has exposed more than we should in a public manner and the > > > > attached report should be removed. > > > > > > > > Details of any particular issues should only be discussed on a > > project's > > > > security or private list and it needs to also include the > [email protected] > > > > list. > > > > > > > > Fixes need to be discussed and agreed upon on the private list and > > JIRAs > > > > filed to commit the fix should be vague and as general as possible - > so > > > as > > > > not to disclose the details of the vulnerabilities and inform the > > > > development of exploits. > > > > > > > > Also, pay attention to the CVE related aspects of the process in the > > page > > > > referenced below. > > > > > > > > thanks, > > > > > > > > --larry > > > > > > > > 1. http://www.apache.org/security/committers.html > > > > > > > > > >
