Hi Dan, all,
I've read the updated version(s), I'm happy with them as they are written here in the 0.5 version (that implies that Linaro is happy with them).
External process: - It'd be nice at some point to complement the text with a graphical timeline showing the boundaries at each step.
Internal process: - CVSSv3 or something else to identify the severity? I know OP-TEE isn't using CVSSv3. I'd be happy to change OP-TEE to align with other TF projects. - Regarding people on op-tee-security@trustedfirmware.org, for now I think it's sufficient to have Jens + the global address ( security@trustedfirmware.org).
Maniphest: - I have no experience, but that'll probably get the job done as any other tools would have done.
Regards, Joakim
On Wed, 19 Feb 2020 at 19:00, Dan Handley via TSC < tsc@lists.trustedfirmware.org> wrote:
Hi TF TSC
This is a v0.5 update to the proposed tf.org security incident handling process, which I sent previously.
Changes:
- Expanded the Trusted Stakeholder embargo request period to 3 working
days (in their timezone).
Expanded the ESS definition to include suppliers to ESSes (e.g. distros).
Allowed projects to optionally use severity scoring (CVSSv3 preferred
but not mandated).
- Allowed for flexibility in disclosure plan to accommodate reporter's
disclosure plan.
- Allowed for the fact that some projects cannot deliver vulnerability
fixes to a restricted audience for export control reasons.
I've also included an internal facing process for the first time, mainly aimed at members of the security team(s) so they know how to execute the process.
I propose the next steps are:
Discuss the latest changes in the 20th Feb TSC meeting.
- Set a date for approval of the external process (e.g. mid-March).
Identify the right people to be on the security teams.
Work with tf.org infra people and each project's security teams to
propose a plan for when this process can be made active. Should we try to make this active for all projects at the same time or as each project is ready?
Regards
Dan.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TSC mailing list TSC@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tsc