Amendment on Security Policy for embargo duration

surli · November 4, 2022, 10:10am

Hi everyone,

I propose that we amend our Security policy regarding the embargo duration. Right now the rule (recently changed) is:

Once an issue has been fixed and released, an embargo of at least 3 months is starting to allow anyone working with XWiki to perform actions before the publication of the CVE. The embargo might be longer than 3 months, in which case extending the embargo might be decided through a vote on the forum.

I propose that we change it again in case the fix is not applied to a LTS version: the embargo should always be 3 months after a LTS version containing the fix is released. The idea here is mainly to avoid opening lots of vote when such case happens. Especially when it’s end of the year and it becomes difficult to apply patches to previous LTS.

So I propose the following sentence:

Once an issue has been fixed and released, an embargo of at least 3 months is starting to allow anyone working with XWiki to perform actions before the publication of the CVE. The 3 months embargo starts when a LTS release including the patch has been published. The embargo might be longer than 3 months, in which case extending the embargo might be decided through a vote on the forum.

This vote is opened for 2 weeks until friday 18th of November. Here’s my +1.

tmortagne · November 4, 2022, 10:44am

For me, it should be a more generic “3 months after the supported branches are released with a fix”.

+1

mflorea · November 4, 2022, 12:59pm

+1

Thanks,
Marius

acotiuga · November 4, 2022, 1:09pm

+1

Thanks,
Alex

MichaelHamann · November 11, 2022, 1:13pm

+1, thank you!

vmassol · November 14, 2022, 8:58am

+1, with a link on supported branches pointing to Support (XWiki.org)

Thanks

surli · November 22, 2022, 2:13pm

I would be a bit more specific then:
“3 months after all supported branches are released with a fix” with a pointer to Support (XWiki.org). And I’d still mention that if a vulnerability is not patched in a LTS branch, then we need to wait until a LTS branch contains it.

tmortagne · November 22, 2022, 2:44pm

Sure, that’s of course what I meant, but it’s even more clear that way.

If you want, but that’s already what the previous line means (if you don’t fix a supported branch, then you need to wait for it to not be supported anymore). It does not matter if it’s a LTS or something else.

surli · November 22, 2022, 2:51pm

Ok we’re on the same page. I won’t ask to recast your votes @mflorea @MichaelHamann @acotiuga I consider you also agreed with Thomas suggestion since you didn’t say otherwise. Let me know quickly if I’m wrong here: I’ll close this vote tomorrow and document with Thomas’ suggestion.

acotiuga · November 23, 2022, 7:45am

I agree, please go ahead!