janhoy commented on code in PR #168: URL: https://github.com/apache/solr-site/pull/168#discussion_r3060781113
########## content/pages/security-reporting.md: ########## @@ -0,0 +1,208 @@ +Title: Solr™ Vulnerability Reporting Procedure +URL: security-reporting.html +save_as: security-reporting.html +template: security-reporting + +This page documents the procedure for reporting a security vulnerability in Apache Solr and +explains what happens after a report is submitted. It also provides canned email templates +for PMC members to use when responding to reports. + +Apache Solr is maintained by volunteers. The PMC will make every effort to respond promptly, +but cannot guarantee specific response times. We appreciate your patience and your contribution +to the security of the project. + +If you have concerns about how the project team is handling a report, you may also contact +[[email protected]](mailto:[email protected]) directly. +For PMC members, the ASF provides detailed +[committer guidance on vulnerability handling](https://www.apache.org/security/committers.html). + +## Before You Report + +Ensure you have tested against a [supported Solr version](https://solr.apache.org/downloads.html) +with both **authentication** and **authorization** properly configured. +Exploits demonstrated without authentication are not valid — running Solr without authentication is a Review Comment: ```suggestion Ensure the reported exploit is possible on a properly secured Solr instance. Admin-level http APIs in Solr are designed for authenticated, trusted administrators. ``` ########## content/pages/security-reporting.md: ########## @@ -0,0 +1,208 @@ +Title: Solr™ Vulnerability Reporting Procedure +URL: security-reporting.html +save_as: security-reporting.html +template: security-reporting + +This page documents the procedure for reporting a security vulnerability in Apache Solr and +explains what happens after a report is submitted. It also provides canned email templates +for PMC members to use when responding to reports. + +Apache Solr is maintained by volunteers. The PMC will make every effort to respond promptly, +but cannot guarantee specific response times. We appreciate your patience and your contribution +to the security of the project. + +If you have concerns about how the project team is handling a report, you may also contact +[[email protected]](mailto:[email protected]) directly. +For PMC members, the ASF provides detailed +[committer guidance on vulnerability handling](https://www.apache.org/security/committers.html). + +## Before You Report + +Ensure you have tested against a [supported Solr version](https://solr.apache.org/downloads.html) +with both **authentication** and **authorization** properly configured. +Exploits demonstrated without authentication are not valid — running Solr without authentication is a Review Comment: ```suggestion Ensure the reported exploit is possible on a properly secured Solr instance. Admin-level http APIs in Solr are designed for authenticated, trusted administrators. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
