Gunnar,
Thank you for challenging these changes; these discussions are indeed important.
Having a separate Project Security Team differs from having a separate Project IP Team, as the risks are fundamentally different. A leaked 0-day vulnerability is catastrophic and cannot be remedied after the fact, while a temporary, non-released dependency with an incompatible license is a reversible issue.
Some projects, and I would encourage most to do so, prefer that vulnerability reports be accessible only to individuals with proper security education, limiting access to a minimum number of qualified individuals. This is the only way to mitigate the aforementioned risk. This aligns with industry best practices. Implementing these practices benefits the projects, the organization members, and the Foundation as a whole.
Implementing this practice may require some committers to forgo access to some project resources (considering vulnerability reports as project resources). This is currently not feasible under the existing EDP, as:
All Project Committers have equal rights and responsibilities within the Project. (
EDP Section 4.1)
This is the primary reason we believe a change to the EDP is necessary. We need an exception to the equal rights and responsibilities rule because the associated risks are critical, and the stakes are high.
If you have a different interpretation of the EDP and believe our concerns can be addressed at the project level or through the security policy, I would be glad to reconsider this request for changing the EDP.
Thanks again for your engagement.