[jira] [Commented] (SOLR-18193) Rewrite website security page and security reporting workflow

Sun, 12 Apr 2026 14:49:11 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-18193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18073014#comment-18073014
 ] 

Gus Heck commented on SOLR-18193:
---------------------------------

That's a good point, it has a lot of the same information. It does seem to lack 
a "learnings/post-mortem" notion however. I think we should still have an 
explicit page or at least section referencing that and maybe adding something 
about how we plan to learn from each incident with the title "incident response 
plan." IRP is a key phrase that folks may be looking for (or even searching 
for! ;) ).

> Rewrite website security page and security reporting workflow
> -------------------------------------------------------------
>
>                 Key: SOLR-18193
>                 URL: https://issues.apache.org/jira/browse/SOLR-18193
>             Project: Solr
>          Issue Type: Task
>          Components: website
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 3.5h
>  Remaining Estimate: 0h
>
> The project keeps getting security reports to security@ mailing list, which 
> of many do not obey by our instructions.
> The root cause may be that our security web page 
> [https://solr.apache.org/security.html] is a mix of security 
> news/announcements, false-positives/vex, description of our official security 
> posture and step-by-step how to file a security report.
> The web page can be improved.
>  * News section can go as a sub category of the NEWS page
>  * The VEX stuff can be a separate sub page of security.html,
>  * The main security.html could focus on what users should know, and what 
> security researchers should prepare before reporting an issue.
>  * The page could also benefit from a graphical diagram outlining the flow.
> When the PMC responds to incoming emails we need a set of well written canned 
> responses for a few typical cases, like incomplete report, we don't like 
> attachments to mail etc. Those canned responses could live in Wiki or as yet 
> another sub page of the web page?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to