That is very closely read, i.e., that's the one item I was least confident about.
On the other hand, here's the security page of one the other Apache projects, which doesn't say much more than the official Apache security page contains: http://servicecomb.apache.org/security/ Though, indeed, having our own security page with a list of CVE-s could be good, though I feel what is there, given the above page not being much more, is sufficient -- unless there is strong objection? Gj On Thu, Jan 31, 2019 at 4:18 PM Laszlo Kishalmi <laszlo.kisha...@gmail.com> wrote: > Dear Geertjan, community, > > On QU30. The project provides a well-documented channel to report > security issues, along with a documented way of responding to them. > > The: "Website provides a link in the footer to the Apache Security page > <https://www.apache.org/security/>." I guess satisfies the criteria, > though shouldn't have we have an own security page, listing our CVE-s > and how to address them, then a link from there to the Apache Security > page? > > On 1/31/19 4:57 AM, Geertjan Wielenga wrote: > > Hi all, > > > > As part of the process to move us out of the Apache Incubator, we need to > > do a self-analysis of our maturity as an Apache project. > > > > I have completed the self-analysis here: > > > > > https://cwiki.apache.org/confluence/display/NETBEANS/Apache+Maturity+Model+Assessment+for+NetBeans > > > > Comments are welcome and needed! > > > > Feel free to respond in this thread with caveats, thoughts, additions, > > comments, insights, etc. > > > > Thanks, > > > > Gj > > >
