This is an automated email from the ASF dual-hosted git repository. edcoleman pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/accumulo-website.git
The following commit(s) were added to refs/heads/main by this push: new edd13c67 Add CVE reporting to contact page (#372) edd13c67 is described below commit edd13c6707184947ec55e3078a2c93da09cf9efc Author: EdColeman <d...@etcoleman.com> AuthorDate: Thu Feb 2 12:21:36 2023 -0500 Add CVE reporting to contact page (#372) - Adds Accumulo CVE process and reporting information to the `Contact Us` page - Closes Jira issue [ACCUMULO-3277](https://issues.apache.org/jira/browse/ACCUMULO-3277) --- pages/contact-us.md | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/pages/contact-us.md b/pages/contact-us.md index 5407d275..f455de71 100644 --- a/pages/contact-us.md +++ b/pages/contact-us.md @@ -8,10 +8,34 @@ redirect_from: Below are ways to get in touch with the Apache Accumulo community. -## Issues +## Reporting Issues Accumulo uses GitHub issues to track bugs and new features. Visit [How to contribute](/how-to-contribute) for more information. +## Reporting Security Issues (CVE) + +We strongly encourage reporting potential security issues by privately emailing `priv...@accumulo.apache.org` or +`secur...@apache.org` That means, for example, that you should not create a public GitHub issue, since those would make +the issue public. GitHub pull requests and any messages associated with any commits should not make any reference to +the security nature of the commit. + +The Accumulo project follows the standard [ASF vulnerability handling](https://www.apache.org/security/#asf-security-team) +process as outlined by the ASF Security Team. + +An overview of the process is: +- The reporter reports the vulnerability privately to Accumulo community by sending an email to +`priv...@accumulo.apache.org` or the ASF Security Team `secur...@apache.org`. +- The Accumulo project works privately with the reporter to resolve the vulnerability. +- The Accumulo project creates a new release of the package the vulnerability affects to deliver its fix. +- The Accumulo project publicly announces the vulnerability and describes how to apply the fix. + +Please: +1. Do not make information about the vulnerability public until it is formally announced by the Accumulo community. +2. Do not email the user, dev mailing or any public mailing list +3. Do not send a message via Slack +4. Do not create a GitHub issue +5. Do not create a GitHub pull request that makes any reference to the security nature of the commit. + ## Mailing Lists The Accumulo mailing lists are for general discussions, questions, and announcements. While you can read the archives