Hi All, We've just published a CVE and it made me think about our current announcement policy.
Currently, when we receive notice of a security issue, the PMC investigate it, fix it if it's genuine, then we prepare and publish a release without mentioning the security issue. A week after publication we publish the CVE. I think we can do better. I follow haproxy and openssl announcements for security reasons and have found their early warning very helpful. I wonder if we can do something similar? My proposal is modest. Everything stays the same as today except we announce that there is a security fix in the release _at the time we publish it_. The details are withheld for the regular 7 day period. Are there objections to that step? Should we do more? Would it useful to categorise the security issue (low, medium, high. whether it is present in the default config. whether it can be mitigated without taking the upgrade)? B.
