I was looking at Andrew's excellent clarifications to the CVE process
language ( https://github.com/apache/www-site/pull/109 ), and one out of
scope thought I had was to add a couple of steps/substeps.
Currently it says:
"The project team commits the fix. Do not make any reference that the
commit relates to a security vulnerability."
I was wondering on stretching that out into the larger text of:
"The project creates a plan for committing the fix and reviews this
with the Security Team. Once approved, the project team commits the fix.
This commit will not make any reference that the commit relates to a
security vulnerability."
Thanks,
Hen
[relevant page: https://www.apache.org/security/committers.html ]
