so I’m opening here a brainstorming before making a proposal for an amendment to our security policy (if needed), about the way we handle duplicated issues in JIRA when they’re confidential.
The idea in general is to immediately close the JIRA tickets that duplicate another ticket, after having created a link between both. It’s perfectly fine to do that since the reporter of the ticket can follow the link to see the issue that has been duplicated and track it until it’s fixed if they want.
Now in case of confidential issue the story is different: if we close immediately a security issue as duplicated with the creation of the link, the reporter can follow the link only if they have the proper authorization to see confidential issues. In all other cases, they just don’t have any information about the progress on the vulnerability they reported.
Personally I always applied same rule in both conditions, especially since I never got any complain from a reporter when closing a ticket like that, or even asking afterwards to get information. Now maybe they don’t requested for information because they thought it was duplicating something already fixed. I don’t know.
But apparently @tmortagne is not following this practice and in contrary keeps the Confidential duplicate open, until the original one is fixed, so that the reporter of the duplicate ticket knows when the ticket is actually fixed. Problem is that, even if they know when it’s fixed, they won’t have much more info: the disclosure of details generally take longer (per our policy). Especially they won’t know about the version in which the issue has actually been fixed, since we don’t put fix version for duplicated tickets.
So I’m currently not sure what’s the best approach for dealing with this, maybe another option is to be able to give access to the duplicated ticket, to the reporter of the duplicate, but I don’t know even know if it’s possible.