This page is a draft. Creation of the JA-SIG Security Contact Group is a work in progress. Preface every sentance on this page with "it is proposed that" and that will be just about right.
Contacting the group
When to contact the group
Please contact the security contact group when you discover a security vulnerability in released JA-SIG Jasig code, e.g. in CAS, HypercontentuPortal, or uPortaletc.
How to contact the group
Contact the group via its email listsecurity@ja-sig security@jasig.org .
What do I do if somehow contacting the security email address didn't meet my needs?
Contact a JA-SIG board member directlythe Apereo Executive Director at ed@apereo.org.
Charge
The purpose of the JA-SIG Jasig Security Contact group is to provide a reasonably private first point of contact for security vulnerabilities discovered in source code released through JA-SIGJasig, facilitating initial, private collaboration among a few developers to allow a workaround or fix to be available before or simultaneous with the issue becoming public knowledge. The role of this group in JA-SIG Jasig is analogous to the role of security@apache.org in Apache.
...
This group is a few volunteers who listen on an email list. Anyone finding and confirming a security vulnerability in JA-SIG Jasig distributed code is encouraged to contact this group via this group's private, not-publicly-archived email list (rather than post the issue to the public issue tracker or to any of the public lists). This group will acknowledge receipt of the message and forward the information about the exploit privately to developers likely to be able to resolve the issue. Once there's at least a workaround and preferably a formal patch available the developers on the affected project confirm addresses the issue, the developers involved will announce group will coordinate a reasonable response to the issue, which may include distributing the patch to people likely to need it before announcing the issue, or announcing the vulnerability simultaneous with releasing the workaround / patch that fixes it. In any case, the idea is to not announce vulnerabilities without having a story about how they can be immediately addressed. Once the issue is addressed, the role of the security contact group is to facilitate moving discussion of the issue into traditional opensource development forums (the public email lists, issue tracker, etc.)
...
Public collaboration is important to JA-SIG Jasig projects. This group should only be used for sensitive issues that require privacy because viable solutions are not yet available. Anything that can instead be pursued in more public venues without compromising deployments of released JA-SIG Jasig code should be pursued in those more public venues.
...