Start combining multiple security issues in one release if applicable

[borisstoyanov]

With the increased interest in the project, we’re seeing a rise in security issues being reported—an encouraging sign of the community’s engagement and commitment to improvement. Over the past summer, we addressed all reported issues and issued security releases, which has been greatly beneficial to both the community and the project as a whole. However, this process has been quite demanding on the team, requiring significant time and effort.

To make this process more efficient and sustainable, we could consider implementing a system that prioritizes issues based on severity. For example, if a low-severity issue with a viable workaround is reported, we could bundle several such issues into a single release and provide public guidance on the workaround. This would allow users to remain protected while reducing the immediate pressure on PMC members, enabling them to prioritize their efforts more effectively.

My proposal is whenever we can come up with a workaround that can be easily implemented by everyone, we simply send an advisory describing the situation and how we can protect ourselves, then move that to a backlog of security fixes we can later plan to address properly within a combined release.

For example: Let's say on port 4523 there is a vulnerability and this port should not be open at all, we come back to community with an advisory to block it with firewall and we schedule the fix of this issue in the next security release if feasible.

[GutoVeronezi]

Hello @borisstoyanov

Thanks for creating the discussion. We already have a private discussion regarding this topic; please, comment in that one. Furthermore, as security issues are the PMC burden, we should discuss how to handle them in private before announcing/discussing anything in public.