Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[] [Bug 343743] New: [Security] Establish a Security Team
Product/Component: Community / Architecture Council

           Summary: [Security] Establish a Security Team
    Classification: Eclipse Foundation
           Product: Community
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Architecture Council
        ReportedBy: wayne@xxxxxxxxxxx
            Blocks: 337004

To make a security policy meaningful, we need a team of people who are
concerned with security issues. These people many not necessarily have all the
answers, but they can provide triage, liason, and other services.

I propose that the "Eclipse Security Team" include the Webmaster, Director of
Open Source Projects (i.e. me), and at least one representative from each PMC.

The security team can be contacted via the security@xxxxxxxxxxx address.
Anybody can send email to this address, but only members of the Security Team
can receive messages. All members of the team will receive the email. The email
will *not* be encrypted (this is true of the security address for Bugzilla and
Apache). We will provide a guarantee of response within three business days. I
expect that the back-and-forth discussion on issues reported via this address
will be relatively short and result in the creation of a bug. In some cases,
the security address may be included in the cc for bugs.

Does this make sense?

Do we provide a mechanism for adding additional people to the Security Team?
(e.g. subject matter experts)

Do we feel that we need to provide an encrypted (e.g. PGP) contact point? I
could set up a key for emo@xxxxxxxxxxx if we feel that this is necessary;
though, once we create a bug about a vulnerability, all communication sent from
Bugzilla will *not* be encrypted, anyway.

My sense is that we are not looking at adding significant burden to any
project. At present, we have very few bugs related to vulnerabilities, so I
expect the volume to be low. In the steady state, I believe that RT will be the
primary target of reports (due to the runtime nature of their projects). Having
a Security Team in place will--at a minimum--provide a valuable channel for
communication of vulnerabilities within the project structure. Can anybody see
a flaw in my logic?

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

Back to the top