Wait isn't Mark Cox the guy currently under investigation by MI5 for something something hacking on behalf of the Ministry of State Security for the PRC? Something to do with subverting encryption globally.
That's partially why Huawei donated so much to OpenSSL, they get the 0 days seven days in advance. Something to do with this: https://www.openssl.org/blog/blog/2020/05/12/security-prenotifications/ "include the option of us giving prenotification to companies with which we have a commercial relationship" Whitehurst and Cormier are aware of this as the American FBI talked to them last week. On Mon, Aug 17, 2020 at 8:06 AM Mark J. Cox <m...@apache.org> wrote: > > > This roughly reverts the httpd process to what we used prior to > adopting > > > > the Tomcat-esque policy for the whole ASF. We would have to document > > > > this and possibly need it approved by the ASF security team. > > > > > > Not sure if we need to have it approved, but at least we should discuss > with the ASF security team. > > > > https://s.apache.org/cveprocess allows projects to deviate from the > default policy with "review" from the ASF security team. So once you have > agreement have the PMC present the proposed policy. > > > > This is not an uncommon plan, outside of ASF projects such as OpenSSL have > similar policies where lower severity issues (low/moderate) are committed > as security fixes prior to and independently of releases. Dealing with > security issues in private is a pain in both the process and getting the > right fix with limited reviewers. It's worth that pain when the issue is > an actual risk to users, less so for the low risk issues. > > > > Mark > >
