jenkins-infra · Wadeck · Jan 20, 2023 · Jan 21, 2023 · Jan 21, 2023 · Jan 23, 2023
@@ -40,17 +40,8 @@ Even if you run Jenkins on a private network and trust everyone in your team, se
 == How to Report a Security Vulnerability
 
 If you find a vulnerability in Jenkins, please link:https://issues.jenkins.io/secure/CreateIssueDetails!init.jspa?pid=10180&issuetype=10103[report it in the issue tracker under the SECURITY project].
-This project is configured in such a way that only the reporter, the maintainers, and the Jenkins security team can see the details.
-Restricting access to this potentially sensitive information allows core and plugin maintainers to develop effective security fixes that are safe to apply.
-We provide issue reporting guidelines and an overview of our process on link:reporting[Reporting Security Vulnerabilities].
-
-If you are unable to report using our issue tracker, you can also send your report to the private Jenkins Security Team mailing list:
-`[email protected]`
-
-IMPORTANT: Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire.
-We will not respond to such queries.
-If we consider it necessary to provide a statement in response to incidents such as link:/blog/2021/12/10/log4j2-rce-CVE-2021-44228/[log4shell] or link:/blog/2022/03/31/spring-rce-CVE-2022-22965/[SpringShell], you will find a response in our link:/blog/[blog].
 
+We provide issue reporting guidelines and an overview of our process on link:reporting[Reporting Security Vulnerabilities].
 
 == Learn More
 

@@ -98,6 +98,25 @@ The following behaviors/issues are not vulnerabilities in Jenkins project infras
 * Publicly accessible Jenkins controllers other than ci.jenkins.io and weekly.ci.jenkins.io are not operated by the Jenkins project.
   Please do not contact us with any concerns regarding them.
 
+
+=== CVEs in dependencies
+
+In the case of CVEs found in third party dependencies included in the Jenkins project, if the ticket does not include reproduction steps, a proof or at least a good argument, we are closing it.
+Those CVEs are internally analysed and most of the time the project is not impacted.
+In those cases, we recommend reporters file public issues, or submit a pull request on GitHub updating the dependency.
+
+When a CVE has an impact to the security of Jenkins, we include it in an advisory, like link:/security/advisory/2022-09-09/#SECURITY-2868[CVE-2022-2048 in Jetty] or link:/security/advisory/2022-02-09/#SECURITY-2602[CVE-2021-43859 in XStream].
+
+Instead of announcing a continuous flow of non-impacting vulnerabilities, our approach is to publish information only for those that we consider interesting, like critical score, widely spread, etc.
+For them you will find an article in our link:/node/[blog], like: link:/blog/2021/12/10/log4j2-rce-CVE-2021-44228/[Log4Shell] or link:/blog/2022/03/31/spring-rce-CVE-2022-22965/[SpringShell].
+
+
+=== Compliance
+
+IMPORTANT: Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire.
+We will not respond to such queries.
+
+
 == Issue Handling Process
 
 Once reported, the Jenkins security team will perform an evaluation of the issue to determine affected components and whether the report is a valid security vulnerability.