justinmclean opened a new issue, #178: URL: https://github.com/apache/airflow-steward/issues/178
## Summary The ASF `security_committers` policy (https://www.apache.org/security/committers.html) documents two ways to request a CVE ID: > The project team requests a CVE ID from the internal portal, > **https://cveprocess.apache.org**; **or by sending an e-mail with > the subject "CVE request for..." to [email protected]**, providing > a short (one-line) description of the vulnerability. The `security-cve-allocate` skill and `tools/vulnogram/allocation.md` only document the Vulnogram portal path. The email-to- `[email protected]` alternative is not mentioned anywhere in the repo. ## Where the gap shows up The non-PMC relay path in the skill (`allocation.md` § PMC-gated access, `security-cve-allocate` Step 3) produces a relay message asking a PMC member to click through Vulnogram. If no PMC member is available or responsive, the triager has no documented fallback. The email-to-`[email protected]` path is exactly that fallback — the ASF Security Team will allocate on the project's behalf — but the skill does not surface it. ## Required change In `tools/vulnogram/allocation.md` § PMC-gated access, add a note after the non-PMC relay description: > **Fallback when no PMC member is reachable:** send an email to > `[email protected]` with subject `CVE request for <one-line > description>`. The ASF Security Team will allocate the CVE and > send the ID back. Re-invoke `security-cve-allocate` with the > returned `CVE-YYYY-NNNNN` as an override to resume from Step 4. Also add a corresponding note in `security-cve-allocate` Step 3 where the non-PMC relay recipe is presented. ## Policy reference - https://www.apache.org/security/committers.html — "CVE IDs" section and step 6 under "Handling a possible vulnerability" ## Notes This is documentation-only — no skill logic changes required. The email path is already fully supported by the ASF Security Team; it just needs to be surfaced to triagers who hit the "no PMC member available" case. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
