Dear ShardingSphere users and developers, As you know, the Apache Software Foundation takes our users' security seriously, and defines sensible release and security processes to make sure potential security issues are dealt with responsibly. These indirectly also protect our committers, shielding individuals from personal liability. Some of this process is necessarily done in private; as we practice responsible disclosure.
We are seeing potential security issues are reported privately to the ShardingSphere PMC, but the PMC currently does not appear to have the bandwidth to triage (and, if necessary, fix and disclose) them. On behalf of the PMC: would anyone be interested in helping out here? If so, please contact priv...@shardingsphere.apache.org with secur...@apache.org in Cc. If you’re using this project in a professional capacity, now would be a good time to campaign to allocate time to participate to keep the project healthy. This is the first step of our more formal security escalation process[0]. If the ShardingSphere project cannot return to a healthy cadence of dealing with security issues, the only responsible decision for the PMC (which is collectively responsible for the oversight of the project) would be to initiate the move to the Attic [1]. Of course we hope this can be prevented. Kind regards, The ASF Security Team [0] https://cwiki.apache.org/confluence/display/SECURITY/Project+Security+Response+Formal+Escalation [1] https://attic.apache.org/
