raboof commented on PR #8: URL: https://github.com/apache/xerces-j/pull/8#issuecomment-2736782903
> Seems like a good idea. Practically what happens once a report is submitted to [[email protected]](mailto:[email protected])? Who is contacted? Who will deal with it? The process is described at https://apache.org/security/committers.html - the security team will do an initial triage, and when the report appears legitimate, respond with a receipt confirmation and forward it to the projects' private list for the PMC to deal with further. > Currently Xerces has one very occasional committer/maintainer, and there doesn't seem to be any effort or will to expand that pool. Does Apache have a process in place to emergency push a release when the project's maintainers are unavailable or non-existent? In case of a Log4shell-scale event the security team does have the required access and mandate to push an emergency release (though no doubt it'll be challenging in practice). In 99.9% of cases this would fall on the PMC and surrounding community, though. If the PMC can no longer responsibly deal with security issues then they should flag that in their board reports and move themselves to the attic. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
