we discussed in the past about dealing with old security issue in this thread: Dealing with old fixed security issues - #14 by surli. I recently discussed again this topic with XWiki SAS to also have their opinion, so I’m coming back with a final proposal that I submit to a vote so that we can move on on this subject.
My proposal concerns only the tickets on https://jira.xwiki.org that have a security level set as Confidential, and which have been closed before that we put in place our security policy (which has been put in place during XWiki 11.x cycle, so I’m counting here the issues with a fix version until 11.10.x).
The proposal is two folds, it consists in:
- to remove the confidential label for all issues fixed with a fix version before XWiki 8.4.6, without creating any CVE for them
- to remove the confidential label in one year for the remaining issues that are not part of our standard process, with a case by case review with XWiki SAS: e.g. some issues might get a CVE, some others might be just disclosed, and some might be delayed. Ideally this work won’t be done as batch in one year, but during the whole year by reviewing some tickets each month.
This vote is opened for two weeks, until September, tuesday the 13th.
Here’s my +1