Contacting the group
When to contact the group
Please contact the security contact group when you discover a security vulnerability in released Jasig code, e.g. in CAS, uPortal, etc.
How to contact the group
Contact the group via firstname.lastname@example.org .
What do I do if somehow contacting the security email address didn't meet my needs?
Contact the Apereo Executive Director at email@example.com.
The purpose of the Jasig Security Contact group is to provide a reasonably private first point of contact for security vulnerabilities discovered in source code released through Jasig, facilitating initial, private collaboration among a few developers to allow a workaround or fix to be available before or simultaneous with the issue becoming public knowledge. The role of this group in Jasig is analogous to the role of firstname.lastname@example.org in Apache.
What this group is
This group is a few volunteers who listen on an email list. Anyone finding and confirming a security vulnerability in Jasig distributed code is encouraged to contact this group via this group's private, not-publicly-archived email list (rather than post the issue to the public issue tracker or to any of the public lists). This group will acknowledge receipt of the message and forward the information about the exploit privately to developers likely to be able to resolve the issue. Once there's at least a workaround and preferably a formal patch available the developers on the affected project confirm addresses the issue, the group will coordinate a reasonable response to the issue, which may include distributing the patch to people likely to need it before announcing the issue, or announcing the vulnerability simultaneous with releasing the workaround / patch that fixes it. In any case, the idea is to not announce vulnerabilities without having a story about how they can be immediately addressed. Once the issue is addressed, the role of the security contact group is to facilitate moving discussion of the issue into traditional opensource development forums (the public email lists, issue tracker, etc.)
What this group is not
This group is not a forum for general security discussion. It is not a QA group. This group is not necessarily the developers who will actually fix any given security issue.
Ongoingly, the security contact group will maintain its own membership by consensus, adding / replacing members to share the load.
Policies and Procedures
When someone posts an issue to the list, it is important to quickly acknowledge that issue and let the poster know that it is being forwarded to developers who can do something about it. This helps posters not to give up and post the issue to a public list before a fix is available.
Keep the list in the loop
When a group member responds as this group, he or she should CC this group so that others in the group know who has been contacted, what actions have been taken towards addressing particular issues.
Whatever can be public, should be public
Public collaboration is important to Jasig projects. This group should only be used for sensitive issues that require privacy because viable solutions are not yet available. Anything that can instead be pursued in more public venues without compromising deployments of released Jasig code should be pursued in those more public venues.
Likewise, once this group has successfully facilitated a resolution of a particular issue, once there is a workaround or patch available, it is important that information about the issue become available in more public forums. Deployments need to become aware of the issue so that they can apply the workaround or patch, and developers not initially contacted through this group may have important contributions to make to the further improvement of the workaround or patch and to addressing underlying causes of the vulnerability.