I am currently working on a security assessment for XWiki. In this context, I have noticed that in the Jira project for XWiki, even Remote Code Executions are often not recorded as ‘Type: Security’, but as ‘Type: Bug’. Is there an explanation for this practice?
Hello, see Using the Security issue type in JIRA - #25 by vmassol for the full story 
In short, currently our practice is to use Bug + the security label (and a confidential level when not disclosed). See also https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/ which mentions this.
Thx
1 Like