[
https://issues.apache.org/jira/browse/CALCITE-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15434054#comment-15434054
]
Julian Hyde commented on CALCITE-1359:
--------------------------------------
I did a quick survey, and it seems that [most projects do not have a security
team|http://www.apache.org/security/projects.html], which means that
vulnerabilities should be reported to secur...@apache.org. Of the projects that
do, Kafka seems a good model to follow; [its security
page|http://kafka.apache.org/project-security.html] is simple and clear.
> Document how users can log security issues against Calcite and Avatica
> ----------------------------------------------------------------------
>
> Key: CALCITE-1359
> URL: https://issues.apache.org/jira/browse/CALCITE-1359
> Project: Calcite
> Issue Type: Bug
> Reporter: Julian Hyde
> Assignee: Julian Hyde
>
> Apache requires that projects document how to log security issues. Neither
> Calcite nor Avatica has that currently.
> Dev list and JIRA do not seem appropriate since they are public. Is the
> private list suitable? I don't want to create a new list, since the volume of
> security issues is very small.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
