[Spamassassin Wiki] Update of "SecurityPolicy" by JustinMason

[Apache Wiki <wi...@apache.org>]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Spamassassin Wiki" for change notification.

The following page has been changed by JustinMason:
http://wiki.apache.org/spamassassin/SecurityPolicy

The comment on the change is:
write up what we did for bug 5480

New page:
= Our Security Policy =

Once a potential vulnerability is reported to the committers, and has been verified to be an issue, here's what to do (based on what we did for bug 5480):

- Open a bugzilla Security bug to track the issue/discuss it; ensure discussion cc's security /at/ spamassassin.apache.org, not dev.

- Generally figure out which version(s) are impacted by the issue.

- Write up a general vulnerability statement explaining the issue.

- Request a CVE.  security /at/ apache.org last said to contact Mark J Cox <mark /at/ awe.com> to get a number.

- Notifications are made in advance to the vendor-sec mailing list <vendor-sec /at/ lst.de> and anyone the committers feel like informing, as long as it is kept private. notifications contain the vulnerability statement, CVE info, and patch (if possible).

- Public releases and announcements are made at an agreed upon time, ideally 1-2 business days after the notification to vendor-sec.

- Tarballs are prepared "in secret" without committing anything to SVN or discussing on a public list.

- patch is not committed to SVN until the tarballs are released to the public.