Greetings,
I've leveraged Bugzilla functionality to allow committers to discuss
bugs related to security vulnerabilities in a private and closed
fashion. Currently, this functionality is only implemented for the
Platform project to keep everyone else's Bugzilla UI uncluttered, but
it can be extended to any other project who has a need for this.
Typically, when someone discovers a security-related issue, a bug is
opened with an abstract description, allowing the committers to "hide"
the bug from the public eye while the issue is discussed and a fix is
prepared. The bug is opened to the public once a fix is generally
available, and a security advisory has been issued.
Please note that this closed discussion functionality must only be
used to protect the general public from a security-related exploit.
How does it work?
When the "Committer-only group..." is checked (pictured below) the
bug becomes private to Eclipse committers and, optionally, to the
reporter and the CC list. Committers can add non-committers to the CC
list to allow them to participate in the closed discussion. Removing
the checkbox puts the bug back into the public eye, where it should be.

http://bugs.eclipse.org/223539 is what initiated this change in
Bugzilla.
Thanks,
Denis
--
Denis Roy
Manager, IT Infrastructure
Eclipse Foundation, Inc. -- http://www.eclipse.org/
Office: 613.224.9461 x224 (Eastern time)
Cell: 819.210.6481
denis.roy@xxxxxxxxxxx
|