Hello everyone,
I’m opening this proposal for including some small changes in our security policy process.
Reference commits in advisories
This first change is a request we had recently: apparently it’s a common practice to reference the actual commit fixing a security vulnerability in the advisories.
So I propose we start doing the same in our own advisories.
Always provide a reproduction scenario for vulnerability
In order to help the sponsoring company assessing the presence or not of a vulnerability, it’s really helpful to provide a scenario showing the exploit of the vulnerability, or at least describing an oracle to assess the presence of the vulnerability.
Ideally this should be posted directly in the description of the JIRA ticket, either when creating it or when someone starts investigating it for fixing it.