...
The security team asks that you please do not create publicly-viewable JIRA tickets related to the issue. If validated, a JIRA ticket with the security flag set will be created for tracking the issue in a non-public manner.
This document describes the procedures that will be used to respond to a reported vulnerability.
The PMC has decided to create a "Security Team" for CloudStack. The Security Team's charter is to manage the response to vulnerabilities reported with Apache CloudStack. This includes communication with the report, issue verification, issue correction, public communication creation, and vendor coordination. The Security Team may ask assistance from other community members to help verify or correct a reported issue.
...
Community members engaged by the Security Team are expected to hold the issue in confidence until public announcement of the vulnerability. This protects the users of the software and gives reasonable time for the response process to be implemented. Further information can be found on the ASF's How it Works page.
The scope of these procedures applies to vulnerabilities found in CloudStack releases 4.0.0-incubating and later.
...
Some vulnerabilities may exist in ASF code releases as well as derivative works or binary distributions. This is discussed in the Distributors section below.
...
...
CloudStack operates a pre-disclosure list. This list contains the email addresses of the security response teams for significant CloudStack distributors. This includes both corporations and community institutions. The purpose of the pre-disclosure list is to enable the CloudStack project and distributors to participate in a bi-directional information sharing agreement for vulnerabilities. By joining the pre-disclosure list the organization and ASF mutually agree to jointly share vulnerability information that is originally reported to them, jointly verify and fix issues, and jointly (simultaneously) make vulnerability announcements and hotfix releases (if warranted) to the public. The ASF and organizations on the pre-disclosure list are also expected to be reasonably responsive, with a guided expectation of 2-4 weeks to verify issues and release fixes (if warranted). Response times should be discussed and agreed upon depending on the issue severity.
...