Project security mailinglist is going to be sunsetted in favor of GitHub private security reports

[blackboxsw]

SecurityMailing list -> GitHub Private Security Reports

The cloud-init upstream project will prefer private security reports are filed which are reviewed by Canonical's security team.

The upstrem project has not received much value from our former security mailing list at cloud-init-security@lists.canonical.com in recent years the list has become a target for spam.

As part of a general policy to sunset out use of mailinglists for opensource projects. We would like to direct any new security advisory needs to our documented in cloud-init security policy.

The process for filing security issues will be:

1. draft a new avisory at https://github.com/canonical/cloud-init/security/advisories/new
2. coordinate with security and upstream maintainers in the advisory to determine a incident disclosure plan based on risk assessment, severity and the affected environments