Reporting and tracking resolution of vulnerabilities in the post-Bugzilla era.
We had been using the "Vulnerability Reports" component on Bugzilla as a means for projects that do not have any other means of confidentially reporting and vulnerabilities. The bugs in that component have been "moved" into the Help Desk GitLab repository. Further, some new issues have been opened by community members and have been marked confidential.
AFAICT, confidential issues are only visible to team members with at least a Reporter level of privilege. This means that we currently have no means of including an arbitrary committer on these issues as long as they are marked confidential.
Help desk doesn't feel like the right place for these sorts of issues. Regardless, I'm assuming that granting Reporter level privileges on the Help Desk issues to arbitrary committers is off the table.
I discuss setting up private security mailing lists for projects in eclipsefdn/emo-team/emo#71 (moved). This is probably also related to #382 (closed).
I'm wondering what GitLab options may be available.
I started down a path of creating a Vulnerability Tracking repository with just an issue tracker, thinking that we could move the strictly project-related issues on Help Desk there and set up individual committers as reporters as necessary (infrastructure issues should go where-ever the IT team wants to put them).
Does anybody have any brilliant ideas?