I don’t want to propose anything new here, more writing down some guidelines for committers handling security vulnerabilities that we should already follow in practice:
when the reporter asks about disclosure dates, communicate the timelines that are defined in the security policy
when the reporter suggests an earlier disclosure date than our standard process, ask them if they could delay disclosure to follow our disclosure dates
prioritize issues as much as reasonably possible to avoid a disclosure by the reporter before we’ve released fixed versions (highest priority) and before our own disclosure
if the reporter seems likely to disclose the vulnerability before our own planned disclosure, discuss the further process on the security forum, ensuring that in particular the sponsoring companies are aware of this
Not sure about sponsoring companies. I think we just need to discuss it on the security channels (the xwiki-security matrix chat for ex, where sponsoring companies are + other users who asked to be on this chat). So I’d make it more generic than sponsoring companies.
If the reporter seems likely to disclose the vulnerability before our own planned disclosure, discuss the further process on the appropriate security channels.
I wanted to specifically mention sponsoring companies because I think it is important to ensure that they are aware of such cases as they might need to prioritize developing or rolling out patches or workarounds, inform clients, and prepare a marketing campaign to counter potential bad press.
Regarding the matrix chat, our security policy states:
It should be mainly used to discuss about the security policy and technical details about a specific issue.
For this reason, I’m not sure if it is the right channel to inform everybody about a potential early disclosure, I think we should use the same channel(s) that we use to inform about fixed vulnerabilities and their expected disclosure date, which is currently the security forum. Messages on the chat can be easily missed, in particular if it is a single message buried in a long technical discussion. However, I think it is okay to just mention “appropriate” as proposed above and let the committer decide what is appropriate in the specific case.