Return-Path: X-Original-To: apmail-apex-dev-archive@minotaur.apache.org Delivered-To: apmail-apex-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C69411879F for ; Thu, 28 Jan 2016 21:37:44 +0000 (UTC) Received: (qmail 68828 invoked by uid 500); 28 Jan 2016 21:37:41 -0000 Delivered-To: apmail-apex-dev-archive@apex.apache.org Received: (qmail 68768 invoked by uid 500); 28 Jan 2016 21:37:41 -0000 Mailing-List: contact dev-help@apex.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@apex.incubator.apache.org Delivered-To: mailing list dev@apex.incubator.apache.org Received: (qmail 68757 invoked by uid 99); 28 Jan 2016 21:37:41 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Jan 2016 21:37:41 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 4BA7E18053D for ; Thu, 28 Jan 2016 21:37:41 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.426 X-Spam-Level: X-Spam-Status: No, score=0.426 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.554] autolearn=disabled Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id vSG87IWNToJa for ; Thu, 28 Jan 2016 21:37:40 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with SMTP id 7153E43ECF for ; Thu, 28 Jan 2016 21:37:40 +0000 (UTC) Received: (qmail 68535 invoked by uid 99); 28 Jan 2016 21:37:40 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Jan 2016 21:37:40 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id D2C722C1F5C for ; Thu, 28 Jan 2016 21:37:39 +0000 (UTC) Date: Thu, 28 Jan 2016 21:37:39 +0000 (UTC) From: "Pramod Immaneni (JIRA)" To: dev@apex.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (APEXCORE-318) Document security vulnerability process MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/APEXCORE-318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15122346#comment-15122346 ] Pramod Immaneni commented on APEXCORE-318: ------------------------------------------ Chris if we follow a similar model like hadoop of using a separate email list is it ok to ask infra for an email list like security@apex.apache.org (without using incubator) or should we wait till the last possible moment before becoming top level to request this. Secondly since the nature of the groups like these would be to not announce issues to the public until the vulnerabilities are fixed, is it right to assume that the membership to this group is selective and may not be every committer. Also how do groups like these track issues before the vulnerabilities are fixed, can JIRA still be used without making the information public for these till the fix. > Document security vulnerability process > --------------------------------------- > > Key: APEXCORE-318 > URL: https://issues.apache.org/jira/browse/APEXCORE-318 > Project: Apache Apex Core > Issue Type: Task > Reporter: Chris Nauroth > Assignee: Pramod Immaneni > Labels: tlp > > QU30 > The project provides a well-documented channel to report security issues, > along with a documented way of responding to them. > I couldn't find a security vulnerability process documented at > apex.incubator.apache.org. Example: > http://hadoop.apache.org/mailing_lists.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)