Difference between revisions of "Governance/Proposed/OpenStack Security Group"
(Removed MSA since we aren't Mozilla) |
|||
| Line 44: | Line 44: | ||
* Responsible Disclosure Guidelines | * Responsible Disclosure Guidelines | ||
| − | When possible, all discussions will be undertaken on the public mailing list. The private list will be used for vulnerability discussion & classification ( | + | When possible, all discussions will be undertaken on the public mailing list. The private list will be used for vulnerability discussion & classification (CVE). I welcome all comments and participation from the community. This effort cannot be driven solely by Rackspace, I need your help. |
---- | ---- | ||
[[Category:Proposal]] | [[Category:Proposal]] | ||
Revision as of 20:05, 16 August 2011
OpenStack Security Group
Time: 2011-07-16
Drafter: JarretRaim
Drafters Email: jarret.raim@rackspace.com
Status: Proposed
Charter
This proposal describes the formation of an OpenStack Security Group (OSSG). The group is modeled after other open source security organizations, most notably, the Mozilla Security Group. The OSSG will have 4 major responsibilities:
- Be the public face of the OpenStack project for security related issues.
- Operate a private security mailing list and curate private issues in LaunchPad for tracking & resolving vulnerabilities.
- Collating, defining, publishing and maintaining security policies and guidance.
- Working with vendors and developers to resolve security issues while adhering to responsible disclosure policies.
The Plan
My name is Jarret Raim and I am the Application Security Architect at Rackspace. I have been working to get the Group bootstrapped and recommend that the following resources be created for its use.
- Private mailing list
- Private bug category in LaunchPad (not publicly visible)
- Security notification email address (security@openstack.org)
- Public list of private list members with GPG keys for encrypted notifications
- Web presence at (http://openstack.org/security)
Public discussions will use the current OpenStack mailing list until there is enough traffic to justify a separate list. If participants wish to join the private list & be granted visibility to private issues, they must make an application to join as the number of people with access to these private resources must necessarily be kept to a minimum. Applications will be approved with a simple majority vote of the current membership in much the same way as the Mozilla Security Group.
The OSSG can only be successful with community involvement. As such, I recommend that a core of OpenStack community leaders, Rackspace specialists and security experts in the commercial and open source world start out as the seed of the OSSG, maintaining access to private resources. A set of those leaders have already been identified and we plan to add more before the Group officially starts. As the set of people with access to private resources should remain small, the private group should start out with no more than 8 participants.
There is lots of work to be done. As we build membership in the OSSG, we'll need to tackle the following tasks to start:
- Charter and Governance Model
- Membership Policy
- Voting Policy
- Vulnerability Disclosure Policy
- Responsible Disclosure Guidelines
When possible, all discussions will be undertaken on the public mailing list. The private list will be used for vulnerability discussion & classification (CVE). I welcome all comments and participation from the community. This effort cannot be driven solely by Rackspace, I need your help.
