Differences

This shows you the differences between two versions of the page.

--- security [2024/02/20 13:17] – demiankatz
+++ security [2024/02/20 19:47] (current) – demiankatz
@@ Line 6: / Line 6: @@
 See the [[administration:security|Security for VuFind® Administrators]] page for step-by-step instructions on common security-related configuration needs as well as important best practice advice.
+===== Known Vulnerabilities =====
+// No vulnerabilities have been reported yet. //
 ===== Reporting a Security Issue =====
 If you have discovered a security flaw in VuFind®, or if you have specific security-related concerns, please contact info@vufind.org to reach the [[community:roles_and_responsibilities#project_management_committee|Project Management Committee]]. The PMC will work with you to reach a satisfactory solution to your problem and make responsible disclosures to the community where necessary.
+===== Vulnerability Handling =====
+The vulnerability handling process is inspired by the [[https://www.apache.org/security/|Apache Software Foundation process]], and it works like this:
+  * A vulnerability is reported to the Project Management Committee.
+  * The Project Management Committee (and relevant committers) work privately with the reporter to resolve the vulnerability.
+  * A new release is issued containing the fix to the vulnerability; fixes may also be backported to legacy release branches at the discretion of the development team.
+  * The vulnerability is announced to the project's public mailing lists and Slack community, and mitigation instructions are posted to this page.
 ===== Other Resources =====