More clearly explain what unresolved security vulnerabilities are about

[daniel-beck]

I recently noticed an increase in the number of questions related to unresolved security vulnerabilities announced in security advisories.

A public example is https://groups.google.com/g/jenkinsci-users/c/JKnCVT1YGVk/m/Zgx2GkQwAQAJ. In private, folks file SECURITY issues or email the Jenkins security team "informing" us about these security warnings, or asking us to fix them (some examples would be SECURITY-2642, -2653, -2694, -2707, -2830).

We need to make it clearer to people:

1. That we know about these warnings (they're ours!)
2. That this is intentional and "we" (security team) are not going to fix these issues.
3. Why we announcing these issues even without a fix.

While it's documented at https://www.jenkins.io/security/plugins/ this isn't a very discoverable location unless someone really digs into the security docs (which happens approximately never).

Perhaps even with a cheeky reference to https://www.jenkins.io/participate/code/ / https://www.jenkins.io/doc/developer/plugin-governance/adopt-a-plugin/ 😁

Links

Locations where we could add this information, using sitemonitor's recent issue as an example:

https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-1932 (as part of "As of publication …") https://plugins.jenkins.io/sitemonitor/ (in the notification area on top)

[daniel-beck]

https://github.com/jenkins-infra/jenkins.io/pull/5305 partially addressed this.