[pulsar] branch master updated: [docs] Clarify security vulnerability process and reporting (#17039)

[pe...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

penghui pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 96d4bbb1e15 [docs] Clarify security vulnerability process and reporting (#17039)
96d4bbb1e15 is described below

commit 96d4bbb1e15f8a04f30a3036565ab26d923e8746
Author: Lari Hotari <lh...@users.noreply.github.com>
AuthorDate: Thu Aug 11 07:11:09 2022 +0300

    [docs] Clarify security vulnerability process and reporting (#17039)
---
 README.md                                                    |  2 ++
 SECURITY.md                                                  | 12 +++++++++++-
 site2/docs/security-policy-and-supported-versions.md         | 11 ++++-------
 .../version-2.10.0/security-policy-and-supported-versions.md | 10 ++++++----
 .../version-2.10.1/security-policy-and-supported-versions.md | 10 ++++++----
 5 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 274c4c552e7..80208a18d9b 100644
--- a/README.md
+++ b/README.md
@@ -345,6 +345,8 @@ You can self-register at https://apache-pulsar.herokuapp.com/
 
 To report a vulnerability for Pulsar, contact the [Apache Security Team](https://www.apache.org/security/). When reporting a vulnerability to [security@apache.org](mailto:security@apache.org), you can copy your email to [private@pulsar.apache.org](mailto:private@pulsar.apache.org) to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list.
 
+https://github.com/apache/pulsar/security/policy contains more details.
+
 ## License
 
 Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
diff --git a/SECURITY.md b/SECURITY.md
index 7bd3ead079f..ce95a05da90 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,3 +1,13 @@
 # Security Policy
 
-The security policy and supported versions are outlined on the Pulsar website here: https://pulsar.apache.org/docs/security-policy-and-supported-versions/.
+## Security Vulnerability Process
+
+The Pulsar community follows the ASF [security vulnerability handling process](https://apache.org/security/#vulnerability-handling).
+
+To report a new vulnerability you have discovered, please follow the [ASF security vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability). To report a vulnerability for Pulsar, contact the [Apache Security Team](https://www.apache.org/security/). When reporting a vulnerability to [security@apache.org](mailto:security@apache.org), you can copy your email to [private@pulsar.apache.org](mailto:private@pulsar.apache.org) to send your report to the Apache Pul [...]
+
+It is the responsibility of the security vulnerability handling project team (Apache Pulsar PMC in most cases) to make public security vulnerability announcements. You can follow announcements on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org) mailing list. For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.
+
+## Security Policy details and supported versions of Apache Pulsar
+
+The security policy and supported versions are outlined on the Pulsar website under [Security > Security Policy and Supported Versions](https://pulsar.apache.org/docs/security-policy-and-supported-versions/).
diff --git a/site2/docs/security-policy-and-supported-versions.md b/site2/docs/security-policy-and-supported-versions.md
index ac907e12c70..2a40c27fd48 100644
--- a/site2/docs/security-policy-and-supported-versions.md
+++ b/site2/docs/security-policy-and-supported-versions.md
@@ -9,16 +9,13 @@ sidebar_label: "Security Policy and Supported Versions"
 You can find documentation on Pulsar's available security features and how to use them here:
 https://pulsar.apache.org/docs/en/security-overview/.
 
-## Security Vulnerability Announcements
+## Security Vulnerability Process
 
-The Pulsar community will announce security vulnerabilities and how to mitigate them on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org).
-For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.
+The Pulsar community follows the ASF [security vulnerability handling process](https://apache.org/security/#vulnerability-handling).
 
-## Reporting Vulnerabilities
+To report a new vulnerability you have discovered, please follow the [ASF security vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability). To report a vulnerability for Pulsar, contact the [Apache Security Team](https://www.apache.org/security/). When reporting a vulnerability to [security@apache.org](mailto:security@apache.org), you can copy your email to [private@pulsar.apache.org](mailto:private@pulsar.apache.org) to send your report to the Apache Pul [...]
 
-The Pulsar community follows the ASF [vulnerability handling process](https://apache.org/security/#vulnerability-handling).
-
-To report a new vulnerability you have discovered please follow the [ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability).
+It is the responsibility of the security vulnerability handling project team (Apache Pulsar PMC in most cases) to make public security vulnerability announcements. You can follow announcements on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org) mailing list. For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.
 
 ## Versioning Policy
 
diff --git a/site2/website/versioned_docs/version-2.10.0/security-policy-and-supported-versions.md b/site2/website/versioned_docs/version-2.10.0/security-policy-and-supported-versions.md
index 31f8cf061b8..2a40c27fd48 100644
--- a/site2/website/versioned_docs/version-2.10.0/security-policy-and-supported-versions.md
+++ b/site2/website/versioned_docs/version-2.10.0/security-policy-and-supported-versions.md
@@ -2,7 +2,6 @@
 id: security-policy-and-supported-versions
 title: Security Policy and Supported Versions
 sidebar_label: "Security Policy and Supported Versions"
-original_id: security-policy-and-supported-versions
 ---
 
 ## Using Pulsar's Security Features
@@ -10,10 +9,13 @@ original_id: security-policy-and-supported-versions
 You can find documentation on Pulsar's available security features and how to use them here:
 https://pulsar.apache.org/docs/en/security-overview/.
 
-## Security Vulnerability Announcements
+## Security Vulnerability Process
 
-The Pulsar community will announce security vulnerabilities and how to mitigate them on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org).
-For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.
+The Pulsar community follows the ASF [security vulnerability handling process](https://apache.org/security/#vulnerability-handling).
+
+To report a new vulnerability you have discovered, please follow the [ASF security vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability). To report a vulnerability for Pulsar, contact the [Apache Security Team](https://www.apache.org/security/). When reporting a vulnerability to [security@apache.org](mailto:security@apache.org), you can copy your email to [private@pulsar.apache.org](mailto:private@pulsar.apache.org) to send your report to the Apache Pul [...]
+
+It is the responsibility of the security vulnerability handling project team (Apache Pulsar PMC in most cases) to make public security vulnerability announcements. You can follow announcements on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org) mailing list. For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.
 
 ## Versioning Policy
 
diff --git a/site2/website/versioned_docs/version-2.10.1/security-policy-and-supported-versions.md b/site2/website/versioned_docs/version-2.10.1/security-policy-and-supported-versions.md
index 31f8cf061b8..2a40c27fd48 100644
--- a/site2/website/versioned_docs/version-2.10.1/security-policy-and-supported-versions.md
+++ b/site2/website/versioned_docs/version-2.10.1/security-policy-and-supported-versions.md
@@ -2,7 +2,6 @@
 id: security-policy-and-supported-versions
 title: Security Policy and Supported Versions
 sidebar_label: "Security Policy and Supported Versions"
-original_id: security-policy-and-supported-versions
 ---
 
 ## Using Pulsar's Security Features
@@ -10,10 +9,13 @@ original_id: security-policy-and-supported-versions
 You can find documentation on Pulsar's available security features and how to use them here:
 https://pulsar.apache.org/docs/en/security-overview/.
 
-## Security Vulnerability Announcements
+## Security Vulnerability Process
 
-The Pulsar community will announce security vulnerabilities and how to mitigate them on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org).
-For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.
+The Pulsar community follows the ASF [security vulnerability handling process](https://apache.org/security/#vulnerability-handling).
+
+To report a new vulnerability you have discovered, please follow the [ASF security vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability). To report a vulnerability for Pulsar, contact the [Apache Security Team](https://www.apache.org/security/). When reporting a vulnerability to [security@apache.org](mailto:security@apache.org), you can copy your email to [private@pulsar.apache.org](mailto:private@pulsar.apache.org) to send your report to the Apache Pul [...]
+
+It is the responsibility of the security vulnerability handling project team (Apache Pulsar PMC in most cases) to make public security vulnerability announcements. You can follow announcements on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org) mailing list. For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.
 
 ## Versioning Policy