gus-asf commented on code in PR #168: URL: https://github.com/apache/solr-site/pull/168#discussion_r3070262925
########## content/pages/security.md: ########## @@ -1,67 +1,43 @@ -Title: Solr™ Security News +Title: Solr™ Security URL: security.html save_as: security.html template: security -## How to report a security issue +## Report a New Vulnerability -### Published CVEs Detected by Scanners -Every CVE that is detected by a software scanner is by definition already public knowledge. That means the Solr PMC and the rest of the world probably already know about it. +The Solr PMC greatly appreciates responsible disclosure of new security vulnerabilities found in Solr itself +or demonstrating exploitation via a dependency. +**It is important not to publish a previously unknown exploit**, or exploit demonstration code, on public +mailing lists or issue trackers before coordinating with the PMC. -To find a path forward in addressing a detected CVE we suggest the following process for fastest results: +See the [vulnerability reporting procedure](security-reporting.html) for the full reporting rules, +the workflow diagram, and what to expect after you report. -1. Check [further down this page](#recent-cve-reports-for-apache-solr) to see if the CVE is listed as exploitable in Solr. -2. Check the [officially published non-exploitable vulnerabilities](#cve-reports-for-apache-solr-dependencies) list to see if the CVE is listed as not exploitable in Solr. -3. Search through the [Solr users mailing list archive](https://lists.apache.org/[email protected]) to see if anyone else has brought up this dependency CVE. -4. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE. +## CVEs in Dependencies Detected by Scanners Review Comment: ```suggestion ## Incident Response Plan All Apache projects follow the process [outlined by the Apache Software Foundation](https://www.apache.org/security/committers.html). Although this is not specifically labeled as an IRP, it covers most of the key topics including how to report, who's responsible, where to discuss the issue privately and the appropriate means, tools and venues for disclosing the CVE and the fix. The [reporting procedure page](security-reporting.html) further refines that policy. If you feel there is ambiguity or conflict between these pages, or need clarifications feel free to mail the [public mailing lists](community.html) to discuss it (**do not** mail [email protected]) ## CVEs in Dependencies Detected by Scanners ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
