On Wed, Jan 14, 2015 at 8:29 PM, Phil Steitz <phil.ste...@gmail.com> wrote: > ...QO30 - do we really want individual projects to have / advertise > their own ways to take security reports?...
We do not want that, agreed, but as I want the model to be usable by non-Apache projects as well I'm trying to focus on the core principles in the model, and leave the Apache specifics to footnotes. I have added a footnote to QU30 that points to http://www.apache.org/security/ as the default, does that work for you? Sling for example has http://sling.apache.org/project-information/security.html which is a bit more Sling-specific and also points to http://www.apache.org/security/ -Bertrand
