Actually, we follow https://www.apache.org/security/committers.html and are right to do.
Since I got no answers I suppose it's a silent consensus and will do 2 Jacques Le 16/09/2017 à 11:50, Jacques Le Roux a écrit :
Hi, Maybe you have heard about Equifax and Apache Struts recently. While following the story on the ASF members side I read some emails which made me think about our security issues diffusion strategy. There are 2 things projects like HTTPD and Tomcat do: 1. They amend the commits that fixed the issue by adding a the CVE reference in the comment 2. Tomcat also includes a link/s to the commit/s that fixed the issue on their security page. We already do 1 (at least I found some commits logs amended) but should we not also do 2 at https://ofbiz.apache.org/download.html ? Jacques
