Hi,
as requested here I open this issue here to discuss about the security policy of OpenMage.
I think that a good starting point is this PR. In my opinion, the most important thing is an email address where people can send security issues found in the M1 codebase. Emails sent to this address should be forwarded to a little group of trusted people who can take care of those security issues and work on the related security patches. This group of people should also have access to a private issue tracker (a shared Google Spreadsheet should be enough work at the beginning).
As stated by @Flyingmana, security fixes can also be "ported" from other sources like Magento hosting companies, solution partners agencies or other projects like Mage-One.
I also think that another source of security fixes will be Magento 2. Many Magento 2 classes still share the same code of the related M1 classes so the security fixes for M2 could be ported to M1 as well (thinking about the big SQL Injection fix of few months ago).
Hi, as requested here I open this issue here to discuss about the security policy of OpenMage.
I think that a good starting point is this PR. In my opinion, the most important thing is an email address where people can send security issues found in the M1 codebase. Emails sent to this address should be forwarded to a little group of trusted people who can take care of those security issues and work on the related security patches. This group of people should also have access to a private issue tracker (a shared Google Spreadsheet should be enough work at the beginning).
As stated by @Flyingmana, security fixes can also be "ported" from other sources like Magento hosting companies, solution partners agencies or other projects like Mage-One.
I also think that another source of security fixes will be Magento 2. Many Magento 2 classes still share the same code of the related M1 classes so the security fixes for M2 could be ported to M1 as well (thinking about the big SQL Injection fix of few months ago).