Hi, I have some questions regarding our procedures for responsible disclosure of security bugs in Shindig. Instructions from Apache on how to disclose security issues in a project are given here: http://apache.org/security/committers.html.
1. Does Shindig have a private list of individuals who respond to security issues? 2. Is there a published list of past security issues so that people deploying Shindig can ensure their versions are patched against known security bugs? Anecdotally, Shindig security issues emailed to secur...@apache.org have fallen through the cracks in the past. I'd like us to adopt a policy which ensures that all reported vulnerabilities are eventually fixed and disclosed and which gives those who deploy Shindig to have a reasonable amount of time to update. The documentation for JIRA suggests that it can be configured to create private security issues but http://issues.apache.org/jira/browse/SHINDIG is not configured this way. For security patches under review, the codereview tool supports keeping an issue private to the creator and reviewer until the patch has been submitted. Regards Jasvir
