This is the home of the ASF Security space.
This space is mainly used for (public and private) notes for use within Apache projects.
If you are not part of an Apache project yourself, the public-facing information on https://security.apache.org may be more useful to you.
Space Index
Total number of pages: 78
|
|||||||||||||||||||||||||||||||
0-9 |
AASF Security HomeThis is the home of the ASF Security space. This space is mainly used for (public and private) notes for use within Apache projects. If you are not part of an Apache project yourself, the public-facing information on https://security.apache.org https://se
|
||||||||||||||||||||||||||||||
B |
C |
||||||||||||||||||||||||||||||
DDealing with security advisories for dependenciesHow to report When an advisory is published for a dependency, more often than not, the project does not use the dependency in a way that is affected by the problem described in the advisory. For this reason we don't accept the simple fact that an advisory
Documenting your security model
ASF projects are encouraged to include a page on their website or documentation describing the 'Security Model' of the project. The Security Model describes the assumptions and guarantees the project makes with respect to security. For example, the Securi
|
E |
||||||||||||||||||||||||||||||
FFor what issues to create advisoriesIt is ASF Policy https://apache.org/security/committers.html that we create a CVE advisory for all vulnerabilities in our released code, including "low-severity" ones. The goal of an advisory is to give operators the information they need to make an infor
|
GGetting help handling security reportsAs you can read in the Security Process https://apache.org/security/committers.html#work-in-private, security reports must be handled in private by the PMC. You should not create a public Jira ticket to track the issue, or a public GitHub issue, since tho
GitHub Private Vulnerability Reporting
We currently do not support GitHub Private Vulnerability Reporting for ASF projects. This might be interesting in the future, but currently missing are: Often, the PMC will want to have a private discussion about a report before confirming/rejecting it to
|
||||||||||||||||||||||||||||||
H |
I |
||||||||||||||||||||||||||||||
J |
K |
||||||||||||||||||||||||||||||
L |
M |
||||||||||||||||||||||||||||||
N |
OOpenSSF Best Practices BadgeThe OpenSSF Best Practices badge program is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. https://www.bestpractices.dev/en https://www.bestpractices.dev/en Projects that already follow ASF policies
|
||||||||||||||||||||||||||||||
PProject Security Response Formal EscalationIt is the collective responsibility of the PMC https://apache.org/foundation/governance/pmcs.html to make sure any security reports are handled timely and responsibly, according to the ASF Security Process https://apache.org/security/committers.html. The
|
Q |
||||||||||||||||||||||||||||||
RReproducible BuildsThe term "Reproducible Builds" refers to making sure the build process for various artifacts is so deterministic that building the same sources twice results in a bit-by-bit identical artifact. You can read more about it on https://reproducible-builds.org
|
SSoftware Bill of Materials SBOMA 'Software Bill of Materials' (SBOM) is a standardized document describing all dependencies of an artifact. This may include compile-time dependencies, or be restricted to run-time/embedded dependencies. Such a document can then be used by platform-agnos
|
||||||||||||||||||||||||||||||
T |
U |
||||||||||||||||||||||||||||||
V |
W |
||||||||||||||||||||||||||||||
X |
Y |
||||||||||||||||||||||||||||||
Z |
!@#$ |
||||||||||||||||||||||||||||||