Discussion on Addressing Security portion of Maturity Evaluation

[Ed Cable <ed...@mifos.org>]

Roman,

I wanted to separate out this thread to further discuss the feedback you
gave. Could you please expand a bit on what wiki recommendations we should
have in place. We are more extensively documenting our release policy so we
can transparently execute a patch at the drop of a hat.

Ed

> *QU30: The project provides a well-documented channel to report security
> issues, along with a documented way of responding to them.*
>
> Currently we just link to: http://www.apache.org/security/ Are we able to
> do as other projects at http://www.apache.org/security/projects.html or is
> a private channel not something we can set up till we're out of
> incubation.  If we can move forwarde, I'd suggest we have a security page
> on our site, document and fix known vulnerabilities and then provide clear
> instruction on reporting vulnerabilities to a private channel like
> security@fineract.incubator..apache.org

This is less about security@fineract vs.  http://www.apache.org/security/
and more about the community being ready for when the first 0 day
hits either of those. Being ready is a combination of tribal knowledge,
wiki recommendations and a release policy that would allow you to patch
at a drop of a hat.





-- 
*Ed Cable*
Director of Community Programs, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>