geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <>
Subject Re: [DISCUSS] Security Vulnerability Policy created
Date Mon, 19 Jan 2009 14:44:59 GMT

On Jan 19, 2009, at 9:14 AM, Donald Woods wrote:

> There was a long discussion around mid-December on the private and  
> security Geronimo mailing lists about how to handle security  
> vulnerabilities.  The outcome of that discussion (which is mainly a  
> boilerplate suggested by Mark Thomas for all projects to use) can be  
> found on our Project Policies wiki page at -
> If you see anything that needs changing or information that needs to  
> be added, then please discuss on this thread.

The only question I had concerned step 6. Should the fix be discussed  
on security@ and/or private@? It needs to be on a "private" list, to  
properly embargo the vulnerability until a fix is available. Since  
most of the discussions of the issue occur on security@geronimo, I  
think discussion of the fix is most appropriate there.


View raw message