Re: [jakartaee-tck-dev] How should the community report vulnerabilities

[Scott Marlow <smarlow@xxxxxxxxxx>]

[1] has interesting feedback that I would like to bring attention to.  Does anyone else think that the Platform TCK policy for dealing with security vulnerabilities should not be customized but instead follow the default Eclipse policy as outlined in [2]?

On 9/27/21 4:21 PM, Scott Marlow wrote:

[1] is for creating a SECURITY.md file that explains how to report a Platform TCK vulnerability.  Note that [1] only mentions reporting vulnerabilities in the last release 9.1.x.  If you disagree with the current content of [1], please respond here or on the [1] pull request.

If you agree with the [1]  content, please approve the pull request or comment on the PR that it looks good.

Scott
[1] https://github.com/eclipse-ee4j/jakartaee-tck/pull/739

Scott

[2] https://www.eclipse.org/projects/handbook/#vulnerability