The purpose of the Security Working Group communications plan is to keep Security contacts (firstname.lastname@example.org) abreast of CLE security vulnerabilities whenever they are found and confirmed. The Security contacts group has access, by design and necessity, to Jira security issues. Notifying them by email of new and updated issues serves to facilitate an easier path for them to keep up-to-date and make informed decisions for their respective institutions with respect to the management of their Sakai CLE system. This is also a group of people from whom we might want to request help to assess and fix vulnerabilities.
The Security WG will send a summary email as part of the documentation accompanying a release (major and minor releases both), or at least once a quarter.
Summary emails are not a substitute for issuing alerts for known security vulnerabilities that represent a clear and present danger to the community. Therefore, in addition to summary emails, individual alerts should be issued when such a vulnerability is confirmed and a patch is ready.