Great idea! Every Commons component should have such a page indeed, can be a link to the same page for all of Commons IMO.
Some changes though are needed. It should be made clearer that there is an important distinction between undisclosed and disclosed issues. One way to do this is with two headings: - Reporting a new security issue - Asking questions about a known security issue. "Questions about:" should be "Questions about known and reported issues:" Gary <div>-------- Original message --------</div><div>From: Stefan Bodewig <bode...@apache.org> </div><div>Date:08/31/2014 05:00 (GMT-05:00) </div><div>To: dev@commons.apache.org </div><div>Subject: Top Level Security Page </div><div> </div>Hi all I was just browsing the security pages of some ASF projects and the guidelines set by our security team[1] (preparing a talk, not because there was any issue) and realized Commons didn't have a page describing how to report security issues. Since I'm the one who created the page for Compress[2] by mostly copying the Tomcat page in 2012 I know at least one component has such a page. FileUpload which fixed a security issue with the 1.3.1 doesn't have a page of its own. I'd like to create a top level page for Commons about reporting security issues. Basically I'd take the "Reporting New Security Problems" and "Errors and Ommissions" sections from Compress' page and add a section linking to component specific subpages as they exist. I'd like to see this page linked in either the "Commons" or "General Information" section of the navigation (which probably means doing something with parent, I'll need to sort this out). Comments? Stefan [1] http://www.apache.org/security/committers.html [2] http://commons.apache.org/proper/commons-compress/security.html --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
