Skip to content

Revise security issue reporting guidelines in dependencies#63

Open
hen wants to merge 2 commits into
apache:mainfrom
hen:main
Open

Revise security issue reporting guidelines in dependencies#63
hen wants to merge 2 commits into
apache:mainfrom
hen:main

Conversation

@hen

@hen hen commented Jun 12, 2026

Copy link
Copy Markdown
Member

Updated the reporting guidelines for security issues in dependencies to clarify the process for public and private reporting.

Updated the reporting guidelines for security issues in dependencies to clarify the process for public and private reporting.

@raboof raboof left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generally great improvement, the 'if you have confirmed' paragraph might benefit from some further tweaking

If your organization has a mature software engineering culture, and you cannot find existing information on whether the project is affected by the issue in the advisory, it may be up to you to participate in its handling.

Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule.
If you cannot find existing information on whether the project is affected by the issue in the advisory, it may be up to you, as a part of the project community, to participate in its handling. Ensure you provide detailed information when starting a discussion - review how the project uses the dependency and have your opinion on the priority to upgrade, or even remove, the dependency. Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Comment thread content/report-dependency.md Outdated
If you cannot find existing information on whether the project is affected by the issue in the advisory, it may be up to you, as a part of the project community, to participate in its handling. Ensure you provide detailed information when starting a discussion - review how the project uses the dependency and have your opinion on the priority to upgrade, or even remove, the dependency. Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule.

If your analysis confirms the issue described in the advisory does impact this project, please share that information with us with the appropriate level of detail though the private channels described [here](https://security.apache.org/report-code).
If your analysis identifies a broader issue related to the dependencies advisory, please share that information with us with the appropriate level of detail through the private channels described [here](https://security.apache.org/report-code).

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"confirms the issue described in the advisory does impact this project" may not have been super clear, but I don't really think "identifies a broader issue related to the dependencies advisory" is clearer.

Maybe: "If your analysis confirms the project is using the dependency in a way that is in fact impacted by the behavior described in the advisory" ? Still not super happy.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm looking to change the meaning. The original text felt like "Yes, this project depends on X -> contact security". Whereas I think it should only contact security when there is a larger issue, like this vulnerability identifies a larger vulnerability in the project that increases the risk.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to:

"To influence release schedules, please provide a proof-of-concept report that the advisory affects the Apache Software Foundation project in question (not the dependency) through the private channels described here. If your analysis identifies other or related issues affecting the project, report these through the private channels."

If your analysis identifies a broader issue related to the dependencies advisory, please share that information with us with the appropriate level of detail through the private channels described [here](https://security.apache.org/report-code).

If you have verified the issue does not impact the project, it would be appreciated to share this analysis through the project's public channels, so others can review this work and make their own risk assessment.
If you have verified the issue does not impact the project, it is an appreciated contribution if you can share this analysis through the project's public channels, so others can review this work and make their own risk assessment.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍


Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule.
If you cannot find existing information on whether the project is affected by the issue in the advisory, it may be up to you, as a part of the project community, to participate in its handling. Ensure you provide detailed information when starting a discussion - review how the project uses the dependency and have your opinion on the priority to upgrade, or even remove, the dependency. Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Only when you have a POC how the 3rd-party affects security of tha Apache Software Foundation project, report the POC and explanation about the security issue privately to the project.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the next sentence to:

"To influence release schedules, please provide a proof-of-concept report that the advisory affects the Apache Software Foundation project in question (not the dependency) through the private channels described here. If your analysis identifies other or related issues affecting the project, report these through the private channels."

Comment thread content/report-dependency.md

@raboof raboof left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one small remaining comment, otherwise LGTM

If you cannot find existing information on whether the project is affected by the issue in the advisory, it may be up to you, as a part of the project community, to participate in its handling. Ensure you provide detailed information when starting a discussion - review how the project uses the dependency and have your opinion on the priority to upgrade, or even remove, the dependency. Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule.

If your analysis confirms the issue described in the advisory does impact this project, please share that information with us with the appropriate level of detail though the private channels described [here](https://security.apache.org/report-code).
To influence release schedules, please provide a proof-of-concept report that the advisory affects the Apache Software Foundation project in question (not the dependency) through the private channels described [here](https://security.apache.org/report-code). If your analysis identifies other or related issues affecting the project, report these through the private channels.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry to contradict other review comments here, but I think requiring a proof-of-concept might be too heavy. I think I would prefer:

Suggested change
To influence release schedules, please provide a proof-of-concept report that the advisory affects the Apache Software Foundation project in question (not the dependency) through the private channels described [here](https://security.apache.org/report-code). If your analysis identifies other or related issues affecting the project, report these through the private channels.
If you want us to treat your report as a vulnerability in our code, please provide a convincing analysis that the advisory affects the Apache Software Foundation project in question (not just the dependency) through the private channels described [here](https://security.apache.org/report-code). If your analysis identifies other or related issues affecting the project, report these through the private channels.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Much better yes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants