This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Page tree
Skip to end of metadata
Go to start of metadata


====This is WORK IN PROGRESS====

Proposed guidelines

  • An issue that is considered a security issue must be tracked on JIRA with the label set to "security" and flag set to "important". 
    • The ticket must include information about the source of the finding and a description of the vulnerability.
  • An issue can be marked as a security issue at the time of creation of the ticket or any time thereafter as soon as such a determination is made.
  • The fix for an identified security issue will be applied to all existing branches, including all prior supported releases.
  • Issues may have two levels of security (INFRA-14182). Level 2 will be used for critical issues for which the exploit mechanism is best not publicized while a fix is in progress.
    • 1: Viewable by all, editable only by Committers and specific additional users
    • 2: Viewable and editable only by Committers and specific additional users. 
  • Once fixed, all issues should be set to level 1. 

How to determine security issues

  • Run Static Code Analysis Tool (Coverity) scans on every release to determine issues such as buffer overflow, memory corruptions, null pointer dereferences etc.
  • Use additional tools that scan for dependencies and find vulnerabilities using public vulnerability databases such as the NIST National Vulnerability Database (NVD) as well as its own database.
  • Penetration tests (white box, black box, physical) undertaken as part of a security audit

Best Practices


  • No labels