bmarwell commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321198865
> > I finally had to add a gh-robots.txt file to most Commons repositories. > > If it is the will and decision of the Apache Commons PMC, I will of course respect this. > > > Not only is this FUD but if this were indeed a SECURITY issue, filling it here is against our most basic and documented responsible reporting process. 1. This is not Apache commons, this is part of the Apache maven project. 2. While of course contributions are welcome and refusing those would need PMC attention, you are already ignoring the request to not report security issues publicly: https://www.apache.org/security/#reporting-a-vulnerability I must admit it never came to my mind to suggest a file [.well-known/security.txt](https://maven.apache.org/.well-known/security.txt) (for explanation, see: https://developer.okta.com/blog/2021/10/19/intro-security-txt). However, before most security researchers report vulnerabilities, it is already well-known and common to look WHERE to report them first. Please adopt the same behaviour. Thanks. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
