Description
We currently have neither a security disclosure page nor instructions on how people should report vulnerabilities to us.
security@apache.org will already use our private@accumulo list for forwarding issues to us. Presuming we don't want to create security@accumulo, we should advertise that private@ is the preferred way for others to contact us.
in addition to a dedicate page, a reference on the mailing lists page would be a good idea (since it's the closest thing we have to a 'contact us' page).
ref: ASF guide
Attachments
Issue Links
- links to