Hi, It's a really interesting argument.
In my opinion, for sporadic cases, it's important to ask for help, even by involving other PMC members (maybe the ones with a bit more focus on security). For situations where this problem happens every time, there is a security flaw, I think the project should go to the attic: It's the responsibility of the PMC to deal with security flaws. That is just my opinion, obviously. Cheers. Il giorno gio 10 ott 2024 alle ore 17:31 Mark Thomas <ma...@apache.org> ha scritto: > All, > > One of the discussions during the security table top exercise in Denver > was how to handle the situation where a project doesn't have the > skill-set necessary to respond to a security vulnerability report. > > Is this a reason to send the project to the attic? Or back to the > incubator to build a bigger community with the right skills? Or ... ? > > Or do we take another approach and try and find a mechanism to add > people to the project. Some sort of group of subject matter experts than > can be called upon? > > Thoughts? > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
