janhoy commented on code in PR #168: URL: https://github.com/apache/solr-site/pull/168#discussion_r3085026878
########## content/pages/security.md: ########## @@ -1,67 +1,43 @@ -Title: Solr™ Security News +Title: Solr™ Security URL: security.html save_as: security.html template: security -## How to report a security issue +## Report a New Vulnerability -### Published CVEs Detected by Scanners -Every CVE that is detected by a software scanner is by definition already public knowledge. That means the Solr PMC and the rest of the world probably already know about it. +The Solr PMC greatly appreciates responsible disclosure of new security vulnerabilities found in Solr itself +or demonstrating exploitation via a dependency. +**It is important not to publish a previously unknown exploit**, or exploit demonstration code, on public +mailing lists or issue trackers before coordinating with the PMC. -To find a path forward in addressing a detected CVE we suggest the following process for fastest results: +See the [vulnerability reporting procedure](security-reporting.html) for the full reporting rules, +the workflow diagram, and what to expect after you report. -1. Check [further down this page](#recent-cve-reports-for-apache-solr) to see if the CVE is listed as exploitable in Solr. -2. Check the [officially published non-exploitable vulnerabilities](#cve-reports-for-apache-solr-dependencies) list to see if the CVE is listed as not exploitable in Solr. -3. Search through the [Solr users mailing list archive](https://lists.apache.org/[email protected]) to see if anyone else has brought up this dependency CVE. -4. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE. +## CVEs in Dependencies Detected by Scanners Review Comment: I have now pushed this change. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
