It is the collective responsibility of the PMC to make sure any security reports are handled timely and responsibly, according to the ASF Security Process.
The Apache Security Team is available to provide help and advice on security issues, coordinates the handling of security vulnerabilities, and reminds projects when the process stagnates. When a project does not manage to handle their security reports adequately, the Security Team initiates a number of more formal escalation steps, which are described here.
This document does not have explicit deadlines or thresholds, as those are determined on a risk-based case-by-case basis: issues that pose a greater risk to users (due to the nature of the project, the issue, the fact that the project is known to be actively working on a more important security issue, or otherwise) are treated with more urgency.
Unresponsive PMC
When a PMC fails to take appropriate action despite reminders on the private communication channels, the ASF Security Team will issue a call for volunteers on the public projects’ mailing lists on their behalf, explaining the project is struggling to respond to security issues and is in need of help.
Security Roll Call
When the call described in the "Unresponsive PMC" section does not yield volunteers, or the PMC does not succeed in turning around their responsiveness with those volunteers, the ASF Security Team will initiate a formal Roll Call.
In responding to the Roll Call, PMC members are asked to confirm that they still are actively committed to providing oversight over the project, and that they will come up with a plan including measurable milestones and deadlines to return the project back to health security-wise. If either:
- there are insufficient responses to the roll call
- the PMC does not manage to produce a plan, or
- the PMC does not meet the deadlines it has set for itself in this plan
it is expected to start the Attic process.
Forced move to the Attic
If the project fails to return back to health after the formal roll call, but also doesn’t start the Attic process, the Attic process will be started on the PMC’s behalf by the ASF Security Team.