|[eclipse.org-architecture-council] [Bug 343743] New: [Security] Establish a Security Team|
https://bugs.eclipse.org/bugs/show_bug.cgi?id=343743 Product/Component: Community / Architecture Council Summary: [Security] Establish a Security Team Classification: Eclipse Foundation Product: Community Version: unspecified Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: P3 Component: Architecture Council AssignedTo: eclipse.org-architecture-council@xxxxxxxxxxx ReportedBy: wayne@xxxxxxxxxxx Blocks: 337004 To make a security policy meaningful, we need a team of people who are concerned with security issues. These people many not necessarily have all the answers, but they can provide triage, liason, and other services. I propose that the "Eclipse Security Team" include the Webmaster, Director of Open Source Projects (i.e. me), and at least one representative from each PMC. The security team can be contacted via the security@xxxxxxxxxxx address. Anybody can send email to this address, but only members of the Security Team can receive messages. All members of the team will receive the email. The email will *not* be encrypted (this is true of the security address for Bugzilla and Apache). We will provide a guarantee of response within three business days. I expect that the back-and-forth discussion on issues reported via this address will be relatively short and result in the creation of a bug. In some cases, the security address may be included in the cc for bugs. Does this make sense? Do we provide a mechanism for adding additional people to the Security Team? (e.g. subject matter experts) Do we feel that we need to provide an encrypted (e.g. PGP) contact point? I could set up a key for emo@xxxxxxxxxxx if we feel that this is necessary; though, once we create a bug about a vulnerability, all communication sent from Bugzilla will *not* be encrypted, anyway. My sense is that we are not looking at adding significant burden to any project. At present, we have very few bugs related to vulnerabilities, so I expect the volume to be low. In the steady state, I believe that RT will be the primary target of reports (due to the runtime nature of their projects). Having a Security Team in place will--at a minimum--provide a valuable channel for communication of vulnerabilities within the project structure. Can anybody see a flaw in my logic? -- Configure bugmail: https://bugs.eclipse.org/bugs/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
Back to the top