Security settings in Jira

[Jukka Zitting <ju...@gmail.com>]

Hi,

Does anyone know how I should set up a Jira project for handling
reports about security vulnerabilities, i.e. issues that should only
become public once a release that fixes them is available?

Do I need a separate project for that or can I specify the security
settings per component or even per issue? Once the problem has been
fixed and the fix released, how do I make the related Jira issue
public?

BR,

Jukka Zitting

RE: Security settings in Jira

[Gavin <ga...@16degrees.com.au>]

> -----Original Message-----
> From: Jukka Zitting [mailto:jukka.zitting@gmail.com]
> Sent: Tuesday, 13 January 2009 8:38 AM
> To: infrastructure-dev@apache.org
> Subject: Security settings in Jira
> 
> Hi,
> 
> Does anyone know how I should set up a Jira project for handling
> reports about security vulnerabilities, i.e. issues that should only
> become public once a release that fixes them is available?

Are you talking about a new project or an existing one?

> 
> Do I need a separate project for that or can I specify the security
> settings per component or even per issue? Once the problem has been
> fixed and the fix released, how do I make the related Jira issue
> public?

No separate project needed. If you have an existing project you can assign
it to an Issue Security Scheme - copying the infra or prc security scheme
first would be good and then associate your project to it.

The project can be set so that by default, all issues created are 'private'
- that is can be so that only the project team and the reporter can see it.

Once your happy it is resolved, you can edit an issue and mark it as public,
then as long you set permissions that anyone can see closed/resolved/public
issues, your all set.

If you need a hand doing this, let me know.

Gav...

> 
> BR,
> 
> Jukka Zitting
> 
> 
> --
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.552 / Virus Database: 270.10.6/1888 - Release Date: 1/12/2009
> 7:04 AM