Amendment on Security Policy for embargo duration

Hi everyone,

I propose that we amend our Security policy regarding the embargo duration. Right now the rule (recently changed) is:

Once an issue has been fixed and released, an embargo of at least 3 months is starting to allow anyone working with XWiki to perform actions before the publication of the CVE. The embargo might be longer than 3 months, in which case extending the embargo might be decided through a vote on the forum.

I propose that we change it again in case the fix is not applied to a LTS version: the embargo should always be 3 months after a LTS version containing the fix is released. The idea here is mainly to avoid opening lots of vote when such case happens. Especially when it’s end of the year and it becomes difficult to apply patches to previous LTS.

So I propose the following sentence:

Once an issue has been fixed and released, an embargo of at least 3 months is starting to allow anyone working with XWiki to perform actions before the publication of the CVE. The 3 months embargo starts when a LTS release including the patch has been published. The embargo might be longer than 3 months, in which case extending the embargo might be decided through a vote on the forum.

This vote is opened for 2 weeks until friday 18th of November. Here’s my +1.

1 Like

For me, it should be a more generic “3 months after the supported branches are released with a fix”.

+1

+1

Thanks,
Marius

+1

Thanks,
Alex

+1, thank you!

+1, with a link on supported branches pointing to https://www.xwiki.org/xwiki/bin/view/Main/Support#HSupportedVersions

Thanks

1 Like

I would be a bit more specific then:
“3 months after all supported branches are released with a fix” with a pointer to https://www.xwiki.org/xwiki/bin/view/Main/Support#HSupportedVersions. And I’d still mention that if a vulnerability is not patched in a LTS branch, then we need to wait until a LTS branch contains it.

Sure, that’s of course what I meant, but it’s even more clear that way.

If you want, but that’s already what the previous line means (if you don’t fix a supported branch, then you need to wait for it to not be supported anymore). It does not matter if it’s a LTS or something else.

Ok we’re on the same page. I won’t ask to recast your votes @mflorea @MichaelHamann @acotiuga I consider you also agreed with Thomas suggestion since you didn’t say otherwise. Let me know quickly if I’m wrong here: I’ll close this vote tomorrow and document with Thomas’ suggestion.

I agree, please go ahead!