I agree with Sheng, the existing security reporting process using the main ASF channel is adequate. Thanks for reviewing this Rohit.
Joe On Fri, Mar 5, 2021 at 8:55 AM Sheng Zha <[email protected]> wrote: > The security list should be ok and the PPMC will be included through > private channel if issues are found. > > On 2021/03/04 01:03:20, "Srivastava, Rohit Kumar" < > [email protected]> wrote: > > Hi, > > Bumping up the thread. If anyone thinks that there is a need to add > information to our Security FAQ page: > https://mxnet.apache.org/versions/master/api/faq/security.html > > Please let us know. > > > > I would also like to bring up that current security vulnerabilities are > to be reported to [email protected]<mailto:[email protected]> as per > Apache guidelines. Is there a requirement to have a separate mailing list > for that ? > > > > -Rohit > > > > From: "Srivastava, Rohit Kumar" <[email protected]> > > Date: Friday, February 26, 2021 at 11:47 AM > > To: "[email protected]" <[email protected]> > > Subject: Feedback on security vulnerability reporting guidelines > > > > Hi, > > MXNet has the following page that highlights steps on how to report > security vulnerabilities for MXNet: > > https://mxnet.apache.org/versions/master/api/faq/security.html > > > > It lists instructions on reporting undisclosed vulnerabilities, security > practices, links to apache security guidelines for users and committers and > also lists considerations for users deploying propriety models to > productions services. > > > > IMO this page provides sufficient information to anyone as to how to > inform apache or project team about vulnerabilities in MXNet. If the > community could also take a look and provide suggestions if anything is > missing or needs improvement would be helpful. > > > > -Rohit > > >
