We’ve had our first request for accessing our security channels at Asking for Security Access
After discussing with Ludovic Dubost and Guillaume Delhumeau we’re proposing the following small changes:
Explain in the Security policy why the security channels are private (strangely it’s not explained)
Improve the following text:
Anyone can ask to get permissions to participate to XWiki Security topics by being added to the channels mentioned above (JIRA issues, Security chat, GitHub advisories, etc). To do so, you need to ask for permission by posting on the xwiki.org forum (in the Other category) and explain why you need access. XWiki Committers will decide whether you will get access or not.
- Explain that the committers will evaluate who the person is in order to verify his/her legitimacy and ensure he/she is not a hacker/malicious user.
- Ask the person to commit to respect the Security Policy, which essentially means not publicly disclosing non-public security information.
Note that we’ve discussed signing some NDA and the like but it’s too complex and we’re proposing to keep it simple.