Hi, I just now noticed while looking at a podling's maturity evaluation that the requirement Q030[1] has an issue. The podling stated that security issues are submitted to JIRA! The wording on the model needs to be updated so that it is clear that the reporting of a security issue must be by an secure channel.
I think that Q030 be updated to include the word “secure” between well-documented and channel: The project provides a well-documented secure channel to report security issues, along with a documented way of responding to them Any objections? Regards, Dave [1] http://community.apache.org/apache-way/apache-project-maturity-model.html
signature.asc
Description: Message signed with OpenPGP
