This is Flavio, I'm one of the project mentors, and I'd like to start a discussion thread about creating a security list. Let me start with some background.
The ASF has a security team that provides guidance to projects on security matters and coordinates the handling of security vulnerabilities, e.g., handling CVE requests. The security team has a general secur...@apache.org address to receive reports and to communicate with projects. See this page for more information. https://www.apache.org/security/ <https://www.apache.org/security/> Some projects opt for having their own security team and consequently their own security list. Project security teams evaluate vulnerability reports submitted about the project and interact with both reporters and the Apache Security Team. If we create such a list for this project, then it would be listed here: https://www.apache.org/security/projects.html <https://www.apache.org/security/projects.html> And vulnerability reports would be sent to that list for evaluation. Without a project security list, any vulnerability report will be sent to the general secur...@apache.org list, which will then be forwarded to the private@nuttx list. In the case the team decides to have its own security team, the team includes project PMC members, and it could also include committers if the project chooses to. At this point of the project, there is no difference between the set of committers and PPMC, but it might make a difference later on. The two points I suggest we discuss and eventually move to vote depending on the feedback are: 1- Should this project have a security team and create a secur...@nuttx.apache.org list for this project? 2- Should the security list include only project PMC members or also interested committers? Thanks, -Flavio
