Re: Introducing David Jorm, security response process expert

Edward Warnicke


Thank you for the work, I will add it to the TSC agenda for tomorrow.  Will you be able to attend to discuss it (8am PST)?  If so, do you have any constraints on your time that would influence when in the agenda we cover it (needing to leave before the end of the meeting for example)?


On Wed, May 18, 2016 at 1:20 AM, David Jorm <david.jorm@...> wrote:
Hi All

I have now drafted an initial process for review, as discussed:

This process is based on the one I developed for OpenDaylight, but has been simplified to suit I think the next steps are to send out a call for participation on the security team, form that team to review and approve the process, then turn our attention to implementation. Here is some text for the call for participation, which I think should come from a more established member of the community rather than from me:

As grows and matures, we realize it is important to establish a vulnerability management process and a security team to define and execute it. We're looking for a small group of security-minded people who can form this team. Responsibilities will include:

* Reading and triaging incoming reports of security issues
* Producing patches for security issues as a top priority
* Maintaining confidentiality of security issues until they are patched and publicly disclosed
* Writing advisories to communicate information about security issues and patches to the community

We have David Jorm, an experienced security engineer, onboard to lead the team and define the process, so don't worry if you aren't a security expert. Anyone who is an active developer or other contributor would be welcome to join the team. If you are interested, please let the TSC know.


On Mon, Apr 25, 2016 at 9:29 PM, Edward Warnicke <hagbard@...> wrote:
In keeping with my action item from the last TSC meeting, please meet David Jorm,
the security response process expert who helped OpenDaylight in formulating their
process.  He will be joining us at our next TSC meeting to assist us in formulating the Security Response Process.

Many thanks to David, for stepping up again to help :)


Join to automatically receive all group messages.