Hi everyone,
I propose that we amend our Security policy regarding the embargo duration. Right now the rule (recently changed) is:
Once an issue has been fixed and released, an embargo of at least 3 months is starting to allow anyone working with XWiki to perform actions before the publication of the CVE. The embargo might be longer than 3 months, in which case extending the embargo might be decided through a vote on the forum.
I propose that we change it again in case the fix is not applied to a LTS version: the embargo should always be 3 months after a LTS version containing the fix is released. The idea here is mainly to avoid opening lots of vote when such case happens. Especially when it’s end of the year and it becomes difficult to apply patches to previous LTS.
So I propose the following sentence:
Once an issue has been fixed and released, an embargo of at least 3 months is starting to allow anyone working with XWiki to perform actions before the publication of the CVE. The 3 months embargo starts when a LTS release including the patch has been published. The embargo might be longer than 3 months, in which case extending the embargo might be decided through a vote on the forum.
This vote is opened for 2 weeks until friday 18th of November. Here’s my +1.