Hey All, I've been chatting with security@ about what our requirements are for reporting issues.
Background info: - Security issues are reported to security@ where we have someone from mitre.org who adds the report to their database of CVEs (Common Vulnerabilities and Exposures). Additionally, projects tend to create a page dedicated to these vulnerabilities: - http://geronimo.apache.org/21x-security-report.html A similar report is available from Secunia: - http://secunia.com/advisories/product/15811/?task=advisories It's pretty clear we have some requirements to fill on this front. At minimum a page on our site to record vulnerabilities fixed in each TomEE release. Currently, there's one issue for Tomcat that does affect all existing TomEE releases: - http://secunia.com/advisories/56830/ Still digging, but since we released TomEE in 2011, there've been at least a dozen CVEs for Tomcat, 4 for CXF, and 2 for MyFaces. Haven't yet checked all the components. We always upgrade each release, but two things stick out at me: 1. we need to include this in our release notes 2. it's a long time between releases For #1, I'll see what I can do about hacking up a page we can maintain. For #2, perhaps a separate thread is better. Lots of ways to skin that cat. -David
