Asking for Security Access

Hi !

I am a Managing Security Consultant and MD at CycleSEC Information Security Consulting. We use XWiki in several customer projects for ISMS documentation according to ISO/IEC 27001. It would be great to have access to more security-related information and discussions. If you need more information, please do not hesitate to ask. :wink:

Thanks !


would that be possible to have a bit more information about the reason why you want access to the security related information and discussions? We generally grant the access to people we already know about, and apparently it’s the first time you post here and I haven’t found you either in our bug tracker.

If you need some specific information, maybe we can share them without opening up everything.


Thank you for the quick reply. I am a bit confused about your question regarding why I am interested in security-related information and discussions. That question is new to me, especially after introducing myself as an Information Security Consultant :wink:

As I don’t know what ‘everything’ is, it seems impossible for me to specify what I am particularly interested in. Probably I try to ask back: What information do you offer to your interested parties on CISO- or ISO-Level within ‘everything’?

And clearly, I am not able to give you a (satisfying) answer to your questions in public. It would be great if you could PM me. Thanks.

@CycleSEC I think Simon was just trying to assess what kind of information you’re looking for.

For example, if it’s about knowing the existing CVEs for XWiki, then they can be found at Security Advisories · xwiki/xwiki-platform · GitHub

If it’s about reporting security issues then you can also already do this.

If it’s about being privy to security discussions as they’re happening internally to the XWiki project (ie for security issues that are not yet public), then indeed you’d need to be added to various places (basically what’s listed at ). Please note that it’s quite high volume and most of these places are discussions. Apart from discussions, there’s:

  • one place on GH which contains advisories that are not public yet.
  • the list of confidential jira issues that have not been made public yet

From all of this, what would you like to have access to?

It’s the first time we’re getting a request for this :slight_smile: Which is why we’re not yet sure what kind of information we need to verify/ask. Please give us a few days after you tell us what you’d like to have access to.


Thanks for your answer @vmassol

Taking part in security discussions would be a great start. We use XWiki in several customer projects and I have a few questions :wink: and most security questions hurt.

As an example:

At the moment I am trying to verify the ISO/IEC 27001 certification of the XWiki SAS Cloud Service Provider OVH: XWiki Cloud FAQ - XWiki

OVH is neither providing the certificate nor the valid Scope or Statement of Applicability for the certification: “The ISO/IEC 27701 certificate that OVHcloud holds is available on request from our sales department or from the “Laboratoire National de Métrologie et d’Essais” certification body. Please note that the latter copy is available in French only.” So there is no evidence for the certification. That means they are not certified from a security management perspective.

It would be of help for every security management professional to find out how to get access to the Certificate, Scope and Statement of Applicability because everyone with an ISMS according to ISO/IEC 27001 has to validate that certificate from time to time if XWiki SAS/OVH is one of their cloud suppliers.

We have to do so because of:
ISO/IEC 27001 - A.5.21 - Managing information security in the ICT supply chain
ISO/IEC 27001 - A.5.22 - Monitoring and review and change management of supplier services
ISO/IEC 27001 - A.5.23 - Information security for use of cloud services

Industry best practice is to have that kind of information accessible to everyone (and of course: as a translated english version):


be aware that you’re here on the forum which is dedicated to the open source project: this project is sponsored by XWiki SAS but it has its own governance. See also:

So the channels we pointed to you are only about we won’t discuss in those any XWiki SAS related topic. And the link you provided is only about the cloud support provided by XWiki SAS: you should get in contact with them directly to get answers.

But my topic isn’t about that example, right? I kindly requested access to ‘more security-related information and discussions’ as you offer to ‘anyone’ in your Security Policy.

As far as I understand, a Security Policy targets - amongst others - Security Professionals. In that special case Security Professionals who need information about XWiki. I am such a Security Professional. Sorry for asking.

Don’t take me wrong and don’t apologize for asking :slight_smile: There’s no problem about asking for getting access to information about security on XWiki. I was just trying to clarify that the specific example you took, regarding XWiki Cloud provided by XWiki SAS is not a relevant example here: we won’t address question related to this in the security channels of that you requested access for.

That being said we will discuss internally how we grant you access to the security channels of

@CycleSEC I’m really sorry for the wait. We’ve finally finished discussing it and have updated our Security Policy accordingly (see Small changes to the Security Policy about accepting non-committers on the security channels).

All that remains to grant you access, is to have your formal acceptance of this question:

Do you consent that you won’t publicly disclose the non-public security information that you’ll have access to, before the XWiki committers make it public, and more generally that you agree to follow the rules defined in the security policy at ?

Thank you

1 Like

Not an easy issue. Thanks for your time :wink:

I accept that.

Cool, I’ve sent you a private message on this forum to get your ids on the various websites containing security information.