GitHub user borisstoyanov closed a discussion: Start combining multiple 
security issues in one release if applicable

With the increased interest in the project, we’re seeing a rise in security 
issues being reported—an encouraging sign of the community’s engagement and 
commitment to improvement. Over the past summer, we addressed all reported 
issues and issued security releases, which has been greatly beneficial to both 
the community and the project as a whole. However, this process has been quite 
demanding on the team, requiring significant time and effort.

To make this process more efficient and sustainable, we could consider 
implementing a system that prioritizes issues based on severity. For example, 
if a low-severity issue with a viable workaround is reported, we could bundle 
several such issues into a single release and provide public guidance on the 
workaround. This would allow users to remain protected while reducing the 
immediate pressure on PMC members, enabling them to prioritize their efforts 
more effectively.

My proposal is whenever we can come up with a workaround that can be easily 
implemented by everyone, we simply send an advisory describing the situation 
and how we can protect ourselves, then move that to a backlog of security fixes 
we can later plan to address properly within a combined release. 

For example: Let's say on port 4523 there is a vulnerability and this port 
should not be open at all, we come back to community with an advisory to block 
it with firewall and we schedule the fix of this issue in the next security 
release if feasible. 

GitHub link: https://github.com/apache/cloudstack/discussions/9986

----
This is an automatically sent email for users@cloudstack.apache.org.
To unsubscribe, please send an email to: users-unsubscr...@cloudstack.apache.org

Reply via email to