Security Policy Amendment: systematic vote for extending CVE embargo

Hi everyone,

I’m opening this vote to propose adding a small amendment to our security policy. Right now our policy specifies:

Once an issue has been fixed and released, an embargo of 3 months is starting to allow anyone working with XWiki to perform actions before the publication of the CVE.

If this is true that we always respect the 3 months embargo, in some cases we actually use a longer embargo time on purpose. For example, when some complex issues are only fixed on a stable version because they are dangerous to backport on LTS.

So I propose that we change our rule to:

“Once an issue has been fixed and released, an embargo of at least 3 months is starting to allow anyone working with XWiki to perform actions before the publication of the CVE. The embargo might be longer than 3 months, in which case extending the embargo might be decided through a vote on the forum.”

The vote is opened for 2 weeks until wednesday 21st of September. Here’s my +1.

+1

+1

+1, Thanks

+1