Target completion date: Never expires
Goals
Respond quickly to security alerts received through the security mailing list or any other possible channel.
Maintain security information as confidential and avoid uncoordinated exposure that could harm our users (cf.
SecurityAlertProcess).
Keep our users safe by auditing security capabilities of Foswiki
Required Powers
Trusted to be members of the security mailing list.
Able to individually evaluating the severity of incoming reports and respond to reporters on behalf of the entire group.
Be able to request CVEs on behalf of the project.
Be able to block releases that do not meet security criteria.
Be able to require the issue of a patch release with needed security fixes.
Discussion
Just a note on achievements to date:
- Responded to all security alerts in a timely and effective manner over 2009
- Implemented new CSRF protection features
The
association board has a duty to establish the
PrivacyPolicy and will be looking to this team to help ensure it is implemented.
Kenneth, can we have a status update please?
--
CrawfordCurrie - 09 Dec 2009
As Crawford correctly noted we have been responding to all security alerts in 2009 and will continue to do so.
When an alert comes in I am normally taking the initiative to get the problem characterized. I have been adjusting the team a couple of times during 2009. It is essential that people on the time are responsive and help with both evaluation, decisions and fixing. People who have not been able to be active in a period have been gently removed from the team and new have been added.
It is essential to understand that the security mailing list is only for the active security team members. You can not join the mailing list just to get early warnings about security issues. For a security team to be efficient and able to keep things secret it must be limited to a need-to-know based group.
I believe the current team has the right size. I will continue to dynamically adjust the team members so we have the right mix of skills and people who in this period of their lives have the time to prioritize urgent fixes in our code.
Remember that it is the responsibility of the entire development community to write code with security in mind and to prevent escaped security issues to reach the attackers before our users have had the time to patch their installations.
We often see people (non developers) trying to join the security mailing list. They misunderstand the purpose and think it is an announcement mailing list. To those that admin the mailing lists, let me take care of them. I send them a friendly No with a guidance to join the announcement mailing list instead.
I want to thank the development community for the incredible focus we have had on security in 2009. Foswiki has significantly raised the bar from a security perspective.
--
KennethLavrsen - 10 Dec 2009
This team is in need of a new team lead as Kenneth hasn't been seen on the project for a long time. Kenneth, are you still available? Or anybody else on the list: please step forward to take the lead. Thanks.
--
MichaelDaum - 22 May 2013
Crawford, I've put you in the team lead as you've been most active in this field.
--
MichaelDaum - 23 May 2014
OK. It was a toss-up between George and I, but since I know the codebase best, I can triage quickly. However I can't do it all myself; I need active support.
--
CrawfordCurrie - 23 May 2014
I refined the goals above. Security team members, please indicate your willingness to continue to contribute to this critical work.
Anyone else willing to contribute, please add your name to the list above, below mine.
--
CrawfordCurrie - 03 Jun 2014