Hi everyone,
I’m opening this vote to propose adding a small amendment to our security policy. Right now our policy specifies:
Once an issue has been fixed and released, an embargo of 3 months is starting to allow anyone working with XWiki to perform actions before the publication of the CVE.
If this is true that we always respect the 3 months embargo, in some cases we actually use a longer embargo time on purpose. For example, when some complex issues are only fixed on a stable version because they are dangerous to backport on LTS.
So I propose that we change our rule to:
“Once an issue has been fixed and released, an embargo of at least 3 months is starting to allow anyone working with XWiki to perform actions before the publication of the CVE. The embargo might be longer than 3 months, in which case extending the embargo might be decided through a vote on the forum.”
The vote is opened for 2 weeks until wednesday 21st of September. Here’s my +1.