This is an automated email from the ASF dual-hosted git repository.
edcoleman pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/accumulo-website.git
The following commit(s) were added to refs/heads/main by this push:
new edd13c67 Add CVE reporting to contact page (#372)
edd13c67 is described below
commit edd13c6707184947ec55e3078a2c93da09cf9efc
Author: EdColeman <d...@etcoleman.com>
AuthorDate: Thu Feb 2 12:21:36 2023 -0500
Add CVE reporting to contact page (#372)
- Adds Accumulo CVE process and reporting information to the `Contact Us`
page
- Closes Jira issue
[ACCUMULO-3277](https://issues.apache.org/jira/browse/ACCUMULO-3277)
---
pages/contact-us.md | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/pages/contact-us.md b/pages/contact-us.md
index 5407d275..f455de71 100644
--- a/pages/contact-us.md
+++ b/pages/contact-us.md
@@ -8,10 +8,34 @@ redirect_from:
Below are ways to get in touch with the Apache Accumulo community.
-## Issues
+## Reporting Issues
Accumulo uses GitHub issues to track bugs and new features. Visit [How to
contribute](/how-to-contribute) for more information.
+## Reporting Security Issues (CVE)
+
+We strongly encourage reporting potential security issues by privately
emailing `priv...@accumulo.apache.org` or
+`secur...@apache.org` That means, for example, that you should not create a
public GitHub issue, since those would make
+the issue public. GitHub pull requests and any messages associated with any
commits should not make any reference to
+the security nature of the commit.
+
+The Accumulo project follows the standard [ASF vulnerability
handling](https://www.apache.org/security/#asf-security-team)
+process as outlined by the ASF Security Team.
+
+An overview of the process is:
+- The reporter reports the vulnerability privately to Accumulo community by
sending an email to
+`priv...@accumulo.apache.org` or the ASF Security Team `secur...@apache.org`.
+- The Accumulo project works privately with the reporter to resolve the
vulnerability.
+- The Accumulo project creates a new release of the package the vulnerability
affects to deliver its fix.
+- The Accumulo project publicly announces the vulnerability and describes how
to apply the fix.
+
+Please:
+1. Do not make information about the vulnerability public until it is formally
announced by the Accumulo community.
+2. Do not email the user, dev mailing or any public mailing list
+3. Do not send a message via Slack
+4. Do not create a GitHub issue
+5. Do not create a GitHub pull request that makes any reference to the
security nature of the commit.
+
## Mailing Lists
The Accumulo mailing lists are for general discussions, questions, and
announcements. While you can read the archives
