janhoy commented on code in PR #86: URL: https://github.com/apache/solr-site/pull/86#discussion_r1049069644
########## content/pages/security.md: ########## @@ -10,17 +10,42 @@ Every CVE that is detected by a software scanner is by definition already public To find a path forward in addressing a detected CVE we suggest the following process for fastest results: -1. Check further down this page to see if the CVE is listed as exploitable in Solr. -2. Check the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) list to see if the CVE is listed as not exploitable in Solr. +1. Check [further down this page](#recent-cve-reports-for-apache-solr) to see if the CVE is listed as exploitable in Solr. +2. Check the [officially published non-exploitable vulnerabilities](#cve-reports-for-apache-solr-dependencies) list to see if the CVE is listed as not exploitable in Solr. 3. Search through the [Solr users mailing list archive](https://lists.apache.org/list.html?us...@solr.apache.org) to see if anyone else has brought up this dependency CVE. 4. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE. +#### VEX +Since the process of checking whether CVEs in dependencies of Solr affect your Review Comment: I'd prefer if the "VEX" chapter was pushed to the bottom of the page, next to the new table? As it stands now, it takes up much real-estate, and I think we generally should be more to the point. As it is now we tend to grow the "intro" part of the security page on every edit, so users have to read tons of text before they get to the "meat". -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org
