Hi everyone,
we adopted a security policy for XWiki few months ago (XWiki Security Policy (Community.SecurityPolicy.WebHome) - XWiki) but we never really clarified the security policy for XWiki contrib extensions.
IMO contrib extensions should follow the same policy and we should mention it in http://contrib.xwiki.org/xwiki/bin/view/Main/WebHome.
In practice I see one improvment that we should made for this to happen: right now the security issues are created in JIRA and marked as confidential and only few people can read them. It would make sense that the lead of a project could always see the confidential issue of her own contrib project, even if she doesn’t have the right to see all confidential issue.
WDYT?