Author: markt
Date: Mon Mar 6 12:25:03 2023
New Revision: 1908122
URL: http://svn.apache.org/viewvc?rev=1908122&view=rev
Log:
Add a paragraph setting out what is considered out of scope
Modified:
tomcat/site/trunk/docs/security.html
tomcat/site/trunk/xdocs/security.xml
Modified: tomcat/site/trunk/docs/security.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=1908122&r1=1908121&r2=1908122&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security.html (original)
+++ tomcat/site/trunk/docs/security.html Mon Mar 6 12:25:03 2023
@@ -48,21 +48,34 @@
</a></li>
</ul>
- </div><h3 id="Reporting_New_Security_Problems_with_Apache_Tomcat">Reporting
New Security Problems with Apache Tomcat</h3><div class="text">
- <p>The Apache Software Foundation takes a very active stance in eliminating
- security problems and denial of service attacks against Apache Tomcat.
+ </div><h3 id="Reporting_New_Security_Problems_with_Tomcat">Reporting New
Security Problems with Tomcat</h3><div class="text">
+ <p>The ASF takes a very active stance in eliminating security problems and
+ denial of service attacks against Tomcat.
</p>
<p>We strongly encourage folks to report such problems to our private
security mailing list first, before disclosing them in a public forum.
</p>
+ <p>Reports of problems that require any of the following will be considered
+ out of scope and will not be accepted by the Tomcat security team. The
+ list is not exhaustive.
+ <ul>
+ <li>Access to Tomcat's configuration files.</li>
+ <li>Deployment of a vulnerable web application.</li>
+ <li>Deployment of a malicious web application unless a SecurityManager
+ is configured with an appropriate security policy and the web
+ application is able to bypass a restriction enforced by the
+ SecurityManager.</li>
+ </ul>
+ </p>
+
<p><strong>Please note that the security mailing list should only be used
- for reporting undisclosed security vulnerabilities in Apache Tomcat and
- managing the process of fixing such vulnerabilities. We cannot accept
- regular bug reports or other queries at this address. All mail sent to
- this address that does not relate to an undisclosed security problem in
- the Apache Tomcat source code will be ignored.</strong></p>
+ for reporting undisclosed security vulnerabilities in Tomcat and
managing
+ the process of fixing such vulnerabilities. We cannot accept regular bug
+ reports or other queries at this address. All mail sent to this address
+ that does not relate to an undisclosed security problem in the Tomcat
+ source code will be ignored.</strong></p>
<p>If you need to report a bug that isn't an undisclosed security
vulnerability, please use the <a href="bugreport.html">bug reporting
Modified: tomcat/site/trunk/xdocs/security.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=1908122&r1=1908121&r2=1908122&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security.xml (original)
+++ tomcat/site/trunk/xdocs/security.xml Mon Mar 6 12:25:03 2023
@@ -58,21 +58,34 @@
</section>
- <section name="Reporting New Security Problems with Apache Tomcat">
- <p>The Apache Software Foundation takes a very active stance in eliminating
- security problems and denial of service attacks against Apache Tomcat.
+ <section name="Reporting New Security Problems with Tomcat">
+ <p>The ASF takes a very active stance in eliminating security problems and
+ denial of service attacks against Tomcat.
</p>
<p>We strongly encourage folks to report such problems to our private
security mailing list first, before disclosing them in a public forum.
</p>
+ <p>Reports of problems that require any of the following will be considered
+ out of scope and will not be accepted by the Tomcat security team. The
+ list is not exhaustive.
+ <ul>
+ <li>Access to Tomcat's configuration files.</li>
+ <li>Deployment of a vulnerable web application.</li>
+ <li>Deployment of a malicious web application unless a SecurityManager
+ is configured with an appropriate security policy and the web
+ application is able to bypass a restriction enforced by the
+ SecurityManager.</li>
+ </ul>
+ </p>
+
<p><strong>Please note that the security mailing list should only be used
- for reporting undisclosed security vulnerabilities in Apache Tomcat and
- managing the process of fixing such vulnerabilities. We cannot accept
- regular bug reports or other queries at this address. All mail sent to
- this address that does not relate to an undisclosed security problem in
- the Apache Tomcat source code will be ignored.</strong></p>
+ for reporting undisclosed security vulnerabilities in Tomcat and
managing
+ the process of fixing such vulnerabilities. We cannot accept regular bug
+ reports or other queries at this address. All mail sent to this address
+ that does not relate to an undisclosed security problem in the Tomcat
+ source code will be ignored.</strong></p>
<p>If you need to report a bug that isn't an undisclosed security
vulnerability, please use the <a href="bugreport.html">bug reporting
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
