Re: Maturity Model / Security Requirements

On 03/08/17 18:54, Dave Fisher wrote: > Hi - > >> On Aug 3, 2017, at 6:44 AM, Bertrand Delacretaz >> mailto:bdelacre...@apache.org>> wrote: >> >> On Wed, Aug 2, 2017 at 8:34 PM, Mark Thomas > > wrote: >>> On 02/08/17 17:48, Dave Fisher wrote: ... The project provides

Re: Maturity Model / Security Requirements

Hi - > On Aug 3, 2017, at 6:44 AM, Bertrand Delacretaz > wrote: > > On Wed, Aug 2, 2017 at 8:34 PM, Mark Thomas wrote: >> On 02/08/17 17:48, Dave Fisher wrote: >>> ... The project provides a well-documented *_secure_* channel to report >>> security issues, along with a documented way of respon

Re: Maturity Model / Security Requirements

On Wed, Aug 2, 2017 at 8:34 PM, Mark Thomas wrote: > On 02/08/17 17:48, Dave Fisher wrote: >>... The project provides a well-documented *_secure_* channel to report >> security issues, along with a documented way of responding to them >> > "secure, non-public" ? I'd say "secure and private". Tha

Re: Maturity Model / Security Requirements

On 02/08/17 17:48, Dave Fisher wrote: > Hi, > > I just now noticed while looking at a podling's maturity evaluation that > the requirement Q030[1] has an issue. The podling stated that security > issues are submitted to JIRA! The wording on the model needs to be > updated so that it is clear that

Maturity Model / Security Requirements

Hi, I just now noticed while looking at a podling's maturity evaluation that the requirement Q030[1] has an issue. The podling stated that security issues are submitted to JIRA! The wording on the model needs to be updated so that it is clear that the reporting of a security issue must be by an