Hi TF TSC
This is a v0.5 update to the proposed tf.org security incident handling process, which I sent previously.
Changes:
* Expanded the Trusted Stakeholder embargo request period to 3 working days (in their timezone).
* Expanded the ESS definition to include suppliers to ESSes (e.g. distros).
* Allowed projects to optionally use severity scoring (CVSSv3 preferred but not mandated).
* Allowed for flexibility in disclosure plan to accommodate reporter's disclosure plan.
* Allowed for the fact that some projects cannot deliver vulnerability fixes to a restricted audience for export control reasons.
I've also included an internal facing process for the first time, mainly aimed at members of the security team(s) so they know how to execute the process.
I propose the next steps are:
* Discuss the latest changes in the 20th Feb TSC meeting.
* Set a date for approval of the external process (e.g. mid-March).
* Identify the right people to be on the security teams.
* Work with tf.org infra people and each project's security teams to propose a plan for when this process can be made active. Should we try to make this active for all projects at the same time or as each project is ready?
Regards
Dan.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.