[
https://issues.apache.org/jira/browse/SOLR-18193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anshum Gupta updated SOLR-18193:
--------------------------------
Description:
The project keeps getting security reports to security@ mailing list, which of
many do not obey by our instructions.
The root cause may be that our security web page
[https://solr.apache.org/security.html] is a mix of security
news/announcements, false-positives/vex, description of our official security
posture and step-by-step how to file a security report.
The web page can be improved.
* News section can go as a sub category of the NEWS page
* The VEX stuff can be a separate sub page of security.html,
* The main security.html could focus on what users should know, and what
security researchers should prepare before reporting an issue.
* The page could also benefit from a graphical diagram outlining the flow.
When the PMC responds to incoming emails we need a set of well written canned
responses for a few typical cases, like incomplete report, we don't like
attachments to mail etc. Those canned responses could live in Wiki or as yet
another sub page of the web page?
was:
The project keeps getting security reports to securitu@ mailing list, which of
many do not obey by our instructions.
The root cause may be that our security web page
[https://solr.apache.org/security.html] is a mix of security
news/announcements, false-positives/vex, description of our official security
posture and step-by-step how to file a security report.
The web page can be improved.
* News section can go as a sub category of the NEWS page
* The VEX stuff can be a separate sub page of security.html,
* The main security.html could focus on what users should know, and what
security researchers should prepare before reporting an issue.
* The page could also benefit from a graphical diagram outlining the flow.
When the PMC responds to incoming emails we need a set of well written canned
responses for a few typical cases, like incomplete report, we don't like
attachments to mail etc. Those canned responses could live in Wiki or as yet
another sub page of the web page?
> Rewrite website security page and security reporting workflow
> -------------------------------------------------------------
>
> Key: SOLR-18193
> URL: https://issues.apache.org/jira/browse/SOLR-18193
> Project: Solr
> Issue Type: Task
> Components: website
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Labels: pull-request-available
> Time Spent: 3h
> Remaining Estimate: 0h
>
> The project keeps getting security reports to security@ mailing list, which
> of many do not obey by our instructions.
> The root cause may be that our security web page
> [https://solr.apache.org/security.html] is a mix of security
> news/announcements, false-positives/vex, description of our official security
> posture and step-by-step how to file a security report.
> The web page can be improved.
> * News section can go as a sub category of the NEWS page
> * The VEX stuff can be a separate sub page of security.html,
> * The main security.html could focus on what users should know, and what
> security researchers should prepare before reporting an issue.
> * The page could also benefit from a graphical diagram outlining the flow.
> When the PMC responds to incoming emails we need a set of well written canned
> responses for a few typical cases, like incomplete report, we don't like
> attachments to mail etc. Those canned responses could live in Wiki or as yet
> another sub page of the web page?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
