Thanks for your answer @vmassol
Taking part in security discussions would be a great start. We use XWiki in several customer projects and I have a few questions and most security questions hurt.
As an example:
At the moment I am trying to verify the ISO/IEC 27001 certification of the XWiki SAS Cloud Service Provider OVH: XWiki Cloud FAQ - XWiki
OVH is neither providing the certificate nor the valid Scope or Statement of Applicability for the certification: “The ISO/IEC 27701 certificate that OVHcloud holds is available on request from our sales department or from the “Laboratoire National de Métrologie et d’Essais” certification body. Please note that the latter copy is available in French only.” So there is no evidence for the certification. That means they are not certified from a security management perspective.
It would be of help for every security management professional to find out how to get access to the Certificate, Scope and Statement of Applicability because everyone with an ISMS according to ISO/IEC 27001 has to validate that certificate from time to time if XWiki SAS/OVH is one of their cloud suppliers.
We have to do so because of:
ISO/IEC 27001 - A.5.21 - Managing information security in the ICT supply chain
ISO/IEC 27001 - A.5.22 - Monitoring and review and change management of supplier services
ISO/IEC 27001 - A.5.23 - Information security for use of cloud services
Industry best practice is to have that kind of information accessible to everyone (and of course: as a translated english version):