Security Policy Process Amendment

surli · December 5, 2023, 2:26pm

Hi everyone,

I’d like to remove the step 3 from our official process for handling security issue as written in https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/#HWhat2019stheprocesstohandlesecurityissuesforcommitters3F:

Announce the problem on the security section of the forum

because we just never do it in practice. We do announce on the forum when we actually fixed the security issue (which is step 7 in our current process) because we do have all the info then. Step 3 looks redundant with the actual list of security issues on jira which is also sent on the security ML regularly and that anyone who is granted security access can check directly on jira.

I’ll do the removal in the end of the week unless somebody disagrees.

tmortagne · December 5, 2023, 4:28pm

+1

mflorea · December 6, 2023, 6:53am

+0

Thanks,
Marius

mleduc · December 6, 2023, 7:55am

+0 as in theory it would be beneficial to be open and announce issues early.
But, in practice:

we don’t do it
interested people can easily follow Jira for security issues

surli · December 8, 2023, 9:20am

Changes are done: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/?viewer=changes&rev1=22.1&rev2=23.1&