Hello,
I you like to share my thought about the 2 last releases who fix critical security hole.
I’m not satisfied how the communication is done on security point like this.
I discovered the problem with this post from the french CERT : https://twitter.com/CERT_FR/status/1743295694113309077
For a problem like this, the only information I find was
https://thewatch.centreon.com/product-updates/security-bulletin-for-centreon-web-2807
witch is now 14 day logs, and since this post a new release for another security hole was published, without any changelog.
And who goes everyday on TheWatch to see if security fixes was published ?!
Most people on your Slack did not even know that theses security hole/fixes was published.
For the last release I tried to get information about what was changed on X and Slack, nobody respond.
I think you must inform your customers widely for such security updates :
E-mails, your Slack, your X (twitter) account, the website homepage, home of the documentation,…
Having security problems is not a shame, it happens to every project, but what a shame is to minimize it and not communicate widely as you put you customers in danger.
Because, bad hackers will know long before we do about security hole, and we must apply fixes as soon as possible.