Security Policy for contrib projects

Hi everyone,

we adopted a security policy for XWiki few months ago (XWiki Security Policy (Community.SecurityPolicy.WebHome) - XWiki) but we never really clarified the security policy for XWiki contrib extensions.
IMO contrib extensions should follow the same policy and we should mention it in

In practice I see one improvment that we should made for this to happen: right now the security issues are created in JIRA and marked as confidential and only few people can read them. It would make sense that the lead of a project could always see the confidential issue of her own contrib project, even if she doesn’t have the right to see all confidential issue.


Jira project leads don’t already have the right to see all the issues of the project ?

I honestly don’t know. But we need to check that if the policy is aimed to be adopted for contrib projects.

Not sure this point really need to be explicit in the policy but sure the project lead should have access to all the project issues.

Note that contrib projects are already supposed to follow the rules at already (see

Sounds good.

I assumed that yes, here the proposal is more to emphasize about the need to comply to the same security policy by mentioning it in In the future we can imagine amending this policy specifically for contrib: for example if we consider that the embargo delay should be different from XWiki Standard.

Sure I didn’t mean to mention that in the policy, just to check it since it’s a technicality that might prevent complying to the policy.