Hi, > Thanks for the information. > In that case, I am +1 for secur...@dubbo.apache.org.
Requested and the email list should be created soon. > Further question: if the venerability report is related to some > project Dubbo depends on, what kind of action should Dubbo security > team take? > Should we accepted, update to the fixed version, and then announce it? In sort but its a bit more involved that that. for full details see [1]. Note that as an exception to the usual talk about it on the dev list dicussion should be kept to private lists to reduce the risk of someone taking advantage of the security issue before it is fixed. Thanks, Justin 1. https://www.apache.org/security/committers.html
