commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <>
Subject RE: Top Level Security Page
Date Sun, 31 Aug 2014 09:28:50 GMT
Great idea!

Every Commons component should have such a page indeed, can be a link to the same page for
all of Commons IMO.

Some changes though are needed.

It should be made clearer that there is an important distinction between undisclosed and disclosed

One way to do this is with two headings:

- Reporting a new security issue
- Asking questions about a known security issue.

"Questions about:" should be "Questions about known and reported issues:"


<div>-------- Original message --------</div><div>From: Stefan Bodewig <>
</div><div>Date:08/31/2014  05:00  (GMT-05:00) </div><div>To:
</div><div>Subject: Top Level Security Page </div><div>
</div>Hi all

I was just browsing the security pages of some ASF projects and the
guidelines set by our security team[1] (preparing a talk, not because
there was any issue) and realized Commons didn't have a page describing
how to report security issues.

Since I'm the one who created the page for Compress[2] by mostly copying
the Tomcat page in 2012 I know at least one component has such a page.
FileUpload which fixed a security issue with the 1.3.1 doesn't have a
page of its own.

I'd like to create a top level page for Commons about reporting security
issues.  Basically I'd take the "Reporting New Security Problems" and
"Errors and Ommissions" sections from Compress' page and add a section
linking to component specific subpages as they exist.  I'd like to see
this page linked in either the "Commons" or "General Information"
section of the navigation (which probably means doing something with
parent, I'll need to sort this out).





To unsubscribe, e-mail:
For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message