On 2020-09-02 14:21, Fred Posner wrote:
As time progresses, attack metrics change. If a criteria meets a major announcement, the project has shown and demonstrated that information will be released in a security announcement, for example:
https://www.kamailio.org/w/2018/07/kamailio-security-announcement-for-kamail...
For better or worse, one of the arguments made was that if 2018 was the last time we had an announcement of this magnitude, we must not be Serious About Security™.
It is worth taking the time to introspect about whether the threshold for such announcements is properly calibrated. That's never a bad idea.
However, to suggest that there must be a quota met of major vulnerability announcements per unit of time met in order for a project to be credibly Serious About Security™ is ludicrous.
-- Alex