While filling out the Maturity Model, I noted that several questions were asked around our community's seriousness in addressing user security issues/reporting. However, our website (footer) had a "security" link that simply sent you to a general Apache site which has you contact the "Apache security team" which really has no ties (or even process) to connect it back to the OpenWhisk (or any Incubator) project.
I found a nicer approach taken by a recently grad. project which I liked which was to provide a more personal page from our website to display on clicking the "security" link on any footer. It instructs the user to submit suspected vuln. issues directly to the PMC private email list (which is the desired process) and hopefully gets the immediate attention of our PMC whose members can quickly investigate and instigate the internal Apache processes as needed. Priti kindly reviewed/merged the new page for me and you can find it here: https://openwhisk.apache.org/security.html Please comment if you feel anything needs to be added, but this actually is complete and succinct IMO. Kind regards, Matt
