Hi Scott, Thanks for the quick reply and information on how to report, it’s very helpful and appreciated (as it saves me having to find it).
My question was more around where a vulnerability would be disclosed in the event one was to be found (we just need to tell our security people where to look, and I don’t have one to disclose right now). Would it just be via the mailing list? Again, if that’s TBD I think that’s answer enough for right now. Regards, Jackson From: C. Scott Andreas <sc...@paradoxica.net> Date: Wednesday, 21 May 2025 at 9:28 am To: Fleming, Jackson via user <user@cassandra.apache.org> Cc: user@cassandra.apache.org <user@cassandra.apache.org>, Fleming, Jackson <jackson.flem...@netapp.com> Subject: Re: Apache Cassandra Sidecar - Vulnerability Advisory Location EXTERNAL EMAIL - USE CAUTION when clicking links or attachments Hi Jackson, thanks for reaching out. Details on the ASF responsible disclosure process can be found here: https://apache.org/security/#reporting-a-vulnerability<https://urldefense.com/v3/__https:/apache.org/security/*reporting-a-vulnerability__;Iw!!Nhn8V6BzJA!X3XsIbXrlqFk7v8amkRsX7N76HIui_fYqxXJiWEEZnNwte9i-QrpXVekDhOANIjlJ5KBlR1inlNBJx_thuOquCo$> Thanks for your team's proactive attention to responsible disclosure. ASF and Apache Cassandra are happy to triage and investigate any vulnerability reported in the project. Cheers, – Scott On May 20, 2025, at 4:20 PM, "Fleming, Jackson via user" <user@cassandra.apache.org> wrote: Hi everyone, We’re looking at the Apache Cassandra Sidecar project (https://github.com/apache/cassandra-sidecar<https://urldefense.com/v3/__https:/github.com/apache/cassandra-sidecar__;!!Nhn8V6BzJA!X3XsIbXrlqFk7v8amkRsX7N76HIui_fYqxXJiWEEZnNwte9i-QrpXVekDhOANIjlJ5KBlR1inlNBJx_t_SNMgyQ$>), our security team has asked us in the event of a vulnerability being found, would that be disclosed via the github security advisory system, or would it be disclosed via another mechanism? I couldn’t really find any details in the repo, as it’s a very new project I can imagine it’s not something that’s been thought about yet. Regards, Jackson
