Security advisories

[kroeckx]

I think we need to have a document describing what should all be covered in a security advisory. We've talked about this several times in the past, but I can't actually find an open issue for it.

Some of the things we should consider:

• Should we document CVSS? In many cases, this gives the wrong answer for the users because it's a library. Maybe we should at least internally determine it. But a score if you use that part of the library can also be useful.
• If we don't (publicly) document the CVSS, maybe we should at least document some of the values that go into it, like the complexity of the attack and the impact. This can be as text.
• We should probably document how likely that we think you're affected, which is one of the things we use to determine the severity
• It should cover internal use in the libraries and the apps.

After F2F

[kroeckx]

It should include details on how people can check that their code is affected or not. This might include things like affected functions, so they can search there code to see if they're affected or not.

[kroeckx]

Other useful information to add is which commit (per branch) introduced the problem.