[jira] [Commented] (SOLR-18193) Rewrite website security page and security reporting workflow

Sun, 12 Apr 2026 07:50:08 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-18193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18072966#comment-18072966
 ] 

Gus Heck commented on SOLR-18193:
---------------------------------

I think this update would be an ideal time to also state a formal incident 
response plan. Here are some examples from other prominent projects:

[https://two.js.org/incident-response-plan/]

[https://github.com/nodejs/security-wg/blob/main/INCIDENT_RESPONSE_PLAN.md]

The current PR is very much heading in a similar direction but I think it might 
be good to have one more sub-page with the title "Incident Response Plan" that 
covers the five areas in the two.js example and the node example's 
consideration of different types of vulnerabilities might be good too. The 
added page can probably link to sections of other pages that already cover 
something there.

> Rewrite website security page and security reporting workflow
> -------------------------------------------------------------
>
>                 Key: SOLR-18193
>                 URL: https://issues.apache.org/jira/browse/SOLR-18193
>             Project: Solr
>          Issue Type: Task
>          Components: website
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 3.5h
>  Remaining Estimate: 0h
>
> The project keeps getting security reports to security@ mailing list, which 
> of many do not obey by our instructions.
> The root cause may be that our security web page 
> [https://solr.apache.org/security.html] is a mix of security 
> news/announcements, false-positives/vex, description of our official security 
> posture and step-by-step how to file a security report.
> The web page can be improved.
>  * News section can go as a sub category of the NEWS page
>  * The VEX stuff can be a separate sub page of security.html,
>  * The main security.html could focus on what users should know, and what 
> security researchers should prepare before reporting an issue.
>  * The page could also benefit from a graphical diagram outlining the flow.
> When the PMC responds to incoming emails we need a set of well written canned 
> responses for a few typical cases, like incomplete report, we don't like 
> attachments to mail etc. Those canned responses could live in Wiki or as yet 
> another sub page of the web page?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to