Hi !
I am a Managing Security Consultant and MD at CycleSEC Information Security Consulting. We use XWiki in several customer projects for ISMS documentation according to ISO/IEC 27001. It would be great to have access to more security-related information and discussions. If you need more information, please do not hesitate to ask. 
Thanks !
Hi,
would that be possible to have a bit more information about the reason why you want access to the security related information and discussions? We generally grant the access to people we already know about, and apparently itâs the first time you post here and I havenât found you either in our bug tracker.
If you need some specific information, maybe we can share them without opening up everything.
Thanks
Thank you for the quick reply. I am a bit confused about your question regarding why I am interested in security-related information and discussions. That question is new to me, especially after introducing myself as an Information Security Consultant
As I donât know what âeverythingâ is, it seems impossible for me to specify what I am particularly interested in. Probably I try to ask back: What information do you offer to your interested parties on CISO- or ISO-Level within âeverythingâ?
And clearly, I am not able to give you a (satisfying) answer to your questions in public. It would be great if you could PM me. Thanks.
@CycleSEC I think Simon was just trying to assess what kind of information youâre looking for.
For example, if itâs about knowing the existing CVEs for XWiki, then they can be found at Security Advisories · xwiki/xwiki-platform · GitHub
If itâs about reporting security issues then you can also already do this.
If itâs about being privy to security discussions as theyâre happening internally to the XWiki project (ie for security issues that are not yet public), then indeed youâd need to be added to various places (basically whatâs listed at https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/#HAddinganewsecuritymember ). Please note that itâs quite high volume and most of these places are discussions. Apart from discussions, thereâs:
From all of this, what would you like to have access to?
Itâs the first time weâre getting a request for this 
Which is why weâre not yet sure what kind of information we need to verify/ask. Please give us a few days after you tell us what youâd like to have access to.
Thanks
Thanks for your answer @vmassol
Taking part in security discussions would be a great start. We use XWiki in several customer projects and I have a few questions and most security questions hurt.
As an example:
At the moment I am trying to verify the ISO/IEC 27001 certification of the XWiki SAS Cloud Service Provider OVH: XWiki Cloud FAQ - XWiki
OVH is neither providing the certificate nor the valid Scope or Statement of Applicability for the certification: âThe ISO/IEC 27701 certificate that OVHcloud holds is available on request from our sales department or from the âLaboratoire National de MĂ©trologie et dâEssaisâ certification body. Please note that the latter copy is available in French only.â So there is no evidence for the certification. That means they are not certified from a security management perspective.
It would be of help for every security management professional to find out how to get access to the Certificate, Scope and Statement of Applicability because everyone with an ISMS according to ISO/IEC 27001 has to validate that certificate from time to time if XWiki SAS/OVH is one of their cloud suppliers.
We have to do so because of:
ISO/IEC 27001 - A.5.21 - Managing information security in the ICT supply chain
ISO/IEC 27001 - A.5.22 - Monitoring and review and change management of supplier services
ISO/IEC 27001 - A.5.23 - Information security for use of cloud services
Industry best practice is to have that kind of information accessible to everyone (and of course: as a translated english version):
e.g. https://www.hetzner.com/unternehmen/zertifizierung/
Hi,
be aware that youâre here on the xwiki.org forum which is dedicated to the open source project: this project is sponsored by XWiki SAS but it has its own governance. See also: https://www.xwiki.org/xwiki/bin/view/Main/Supporters/SponsoringCompanies/
So the channels we pointed to you are only about XWiki.org: we wonât discuss in those any XWiki SAS related topic. And the link you provided is only about the cloud support provided by XWiki SAS: you should get in contact with them directly to get answers.
But my topic isnât about that example, right? I kindly requested access to âmore security-related information and discussionsâ as you offer to âanyoneâ in your Security Policy.
As far as I understand, a Security Policy targets - amongst others - Security Professionals. In that special case Security Professionals who need information about XWiki. I am such a Security Professional. Sorry for asking.
Donât take me wrong and donât apologize for asking Thereâs no problem about asking for getting access to information about security on XWiki. I was just trying to clarify that the specific example you took, regarding XWiki Cloud provided by XWiki SAS is not a relevant example here: we wonât address question related to this in the security channels of XWiki.org that you requested access for.
That being said we will discuss internally how we grant you access to the security channels of XWiki.org.
@CycleSEC Iâm really sorry for the wait. Weâve finally finished discussing it and have updated our Security Policy accordingly (see Small changes to the Security Policy about accepting non-committers on the security channels).
All that remains to grant you access, is to have your formal acceptance of this question:
Do you consent that you wonât publicly disclose the non-public security information that youâll have access to, before the XWiki committers make it public, and more generally that you agree to follow the rules defined in the security policy at https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/ ?
Thank you
Not an easy issue. Thanks for your time
I accept that.
Cool, Iâve sent you a private message on this forum to get your ids on the various websites containing security information.