chore: add security notice 14

[markfarkas-camunda]

Description

We had a critical vulnerability in Web Modeler. Jira ticket: https://jira.camunda.com/browse/SEC-1285

When should this change go live?

• This is a bug fix, security concern, or something that needs urgent release support. (add bug or support label)
• This is already available but undocumented and should be released within a week. (add available & undocumented label)
• This is on a specific schedule and the assignee will coordinate a release with the DevEx team. (create draft PR and/or add hold label)
• This is part of a scheduled alpha or minor. (add alpha or minor label)
• There is no urgency with this change (add low prio label)

PR Checklist

• My changes are for an upcoming minor release and:
  • are in the /docs directory (version 8.8).
  • are in the /versioned_docs/version-8.7/ directory (version 8.7).
• My changes are for an already released minor and are in a /versioned_docs directory.

• I added a DRI, team, or delegate as a reviewer for technical accuracy and grammar/style:
  • Engineering team review
  • Technical writer review via @camunda/tech-writers unless working with an embedded writer.

[github-actions]

👋 🤖 🤔 Hello, @markfarkas-camunda! Did you make your changes in all the right places?

These files were changed only in docs/. You might want to duplicate these changes in versioned_docs/version-8.6/.

• docs/reference/notices.md

These files were changed only in docs/. You might want to duplicate these changes in versioned_docs/version-8.7/.

• docs/reference/notices.md

You may have done this intentionally, but we wanted to point it out in case you didn't. You can read more about the versioning within our docs in our documentation guidelines.

[wollefitz]

Thanks for adding the notice! Additionally to the individual remarks, this has to be backported to all previous doc versions.

[markfarkas-camunda]

@camunda/tech-writers in this PR we cannot link the docker images for specific versions (which contains the fix) because Web Modeler does not distribute images prior to 8.6 publicly, only on registry.camunda.cloud. In this case what should be the desired format of this security notice?

[akeller]

@camunda/tech-writers in this PR we cannot link the docker images for specific versions (which contains the fix) because Web Modeler does not distribute images prior to 8.6 publicly, only on registry.camunda.cloud. In this case what should be the desired format of this security notice?

My understanding based on the Slack thread is this will go out next week with the official release. Would it be ready then? If so, we can just keep this in a PR and you can add the link when it's ready.

[markfarkas-camunda]

Would it be ready then?

@akeller If you are referring to the docker images, those won't be available, Web Modeler just simply does not offer public Docker images, so we cannot link to previous versions, and we won't be able to in the future either. The question is: can we just skip the linking in this case? (mentioning the versions with the fix but only as plain text and not as links)

this will go out next week with the official release

That is my understanding as well.

[wollefitz]

Thanks for the adjustments - looks good now!