Hey everyone, When someone discovers a potential security vulnerability for Hive (or any other Apache project) they can opt to inform the PMC of the project by following the ASF guidelines [1]. For Hive, the report should be sent to secur...@hive.apache.org.
Next, the PMC follows the steps outlined in [2] to process the report and if it is deemed necessary release a fix for the vulnerability. In order to make the CVE process as smooth as possible and ensure that CVE reports are addressed in a timely manner I would like to introduce the notion of a "CVE mentor". The "CVE mentor" is the one responsible for bringing the reported CVE to completion ensuring that the steps in [2] are followed. They are the principal contact person between the reporter of the vulnerability and the PMC and the one who leads the discussions. The triage and fix can be done by the mentor or entrusted to a committer (ensuring of course that everything remains private till a fix is officially released). Given that we need to release a fix very soon after a vulnerability is fixed the mentor may also need to act as the release manager. Since the reports arrive in the private list the CVE mentor should be someone that has access to the security list (all PMC and few other individuals). However, for the idea to work we need a few people (preferably PMC) to volunteer for the role of the "CVE mentor". Then the volunteers can pick incoming CVE reports in a round robin fashion. Needless to say that since I am the one proposing it, I would like to be part of the list. Any additional thoughts or suggestions on how to improve this process are very welcomed. Also if you like the idea and want to volunteer please reply to this email to add yourself to the list. Best, Stamatis Zampetakis [1] https://www.apache.org/security/ [2] https://www.apache.org/security/committers.html#possible
