One of our TODOs related to moving to Commonhaus is housekeeping related to SECURITY.md files.

Note: This is initially intended as a discussion thread, not a call for people to start making updates.

1) A lot of our SECURITY.md files say to report issues via email to secalert@redhat.com. This is ok for now (i.e. this isn't a crisis) but we should move to using a community address.

WildFly AS has a security@wildfly.org address, which is what we ask people to use on a number of SECURITY.md files, including the one in the main wildfly/wildfly repo. There's a small group of people who monitor that address and react to posts on it. We bring in others to assist when needed.

I think all projects under the WildFly umbrella at Commonhaus should use security@wildfly.org in their SECURITY.md. For sure repos under the WildFly AS top-level project should. If other top-level projects have their own different mechanisms, that's ok.

Thoughts?

2) Call for volunteers! We're considering adding GPG encryption instructions to our recommended SECURITY.md content, so people can encrypt their reports. If you're interested in helping with that, please let Darran or I know. Tasks include working on:

* Evaluation of whether we should publish a GPG key for CVE reporting.
* Creation of said key including securely sharing of the private key with the required audience.
* Coordination of publication of the public key on relevant SECURITY.md files.

The last one I see as mostly being about drafting suitable language and assisting with questions about how to incorporate the language.


Before people start changing lots of SECURITY.md files we should discuss a bit here first and see what comes of #2 above. Changing dozens of files only to turn around and change them again a few weeks later would be a waste of valuable time.