Hi, Maybe you have heard about Equifax and Apache Struts recently. While following the story on the ASF members side I read some emails which made me think about our security issues diffusion strategy.
There are 2 things projects like HTTPD and Tomcat do: 1. They amend the commits that fixed the issue by adding a the CVE reference in the comment 2. Tomcat also includes a link/s to the commit/s that fixed the issue on their security page. We already do 1 (at least I found some commits logs amended) but should we not also do 2 at https://ofbiz.apache.org/download.html ? Jacques