How to handle duplicated security issues

Hello everyone,

so I’m opening here a brainstorming before making a proposal for an amendment to our security policy (if needed), about the way we handle duplicated issues in JIRA when they’re confidential.

The idea in general is to immediately close the JIRA tickets that duplicate another ticket, after having created a link between both. It’s perfectly fine to do that since the reporter of the ticket can follow the link to see the issue that has been duplicated and track it until it’s fixed if they want.

Now in case of confidential issue the story is different: if we close immediately a security issue as duplicated with the creation of the link, the reporter can follow the link only if they have the proper authorization to see confidential issues. In all other cases, they just don’t have any information about the progress on the vulnerability they reported.

Personally I always applied same rule in both conditions, especially since I never got any complain from a reporter when closing a ticket like that, or even asking afterwards to get information. Now maybe they don’t requested for information because they thought it was duplicating something already fixed. I don’t know.

But apparently @tmortagne is not following this practice and in contrary keeps the Confidential duplicate open, until the original one is fixed, so that the reporter of the duplicate ticket knows when the ticket is actually fixed. Problem is that, even if they know when it’s fixed, they won’t have much more info: the disclosure of details generally take longer (per our policy). Especially they won’t know about the version in which the issue has actually been fixed, since we don’t put fix version for duplicated tickets.

So I’m currently not sure what’s the best approach for dealing with this, maybe another option is to be able to give access to the duplicated ticket, to the reporter of the duplicate, but I don’t know even know if it’s possible.


I’m fine to keep our current rule of closing as dup as soon as we notice a dup and if the reporter wants to know more he/she can ask in comment in his original issue.

I would prefer this, if it’s not that complex. The reporter might be interested in the discussion on the issue left open, not just on the state (fixed). In some case we might also need more information from the reporter(s) and it would be better to keep the discussion in the same place (on the issue that is kept open).


To be clear, my preference goes towards closing the duplicate as soon as possible and giving access right to the reporter to the issue left open. I’m fine to also give access rights on demand, as @vmassol suggested.

I thought about it since that would be the best IMO, but it does not seem to be possible to control access at issue level.

Actually it might be possible, see To be tested.

Seems it might just work for issue security too:

Screenshot 2022-01-04 at 16.25.43