Jump to: navigation, search

Governance/Proposed/OpenStack Security Group

< Governance‎ | Proposed
Revision as of 21:39, 16 July 2011 by JarretRaim (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


OpenStack Security Group

Time: 2011-07-16

Drafter: JarretRaim

Drafters Email: jarret.raim@rackspace.com

Status: Proposed

Charter

This proposal describes the formation of an OpenStack Security Group (OSSG). The group is modeled after other open source security organizations, most notably, the Mozilla Security Group. The OSSG will have 4 major responsibilities:

  • Be the public face of the OpenStack project for security related issues.
  • Operate a private security mailing list and issue tracker for tracking & resolving vulnerabilities.
  • Collating, defining, publishing and maintaining security policies and guidance.
  • Working with vendors and developers to resolve security issues while adhering to responsible disclosure policies.

The Plan

My name is Jarret Raim and I am the Application Security Architect at Rackspace. I have been working to get the Group bootstrapped and recommend that the following resources be created for the use.

  • Public mailing list (OpenStack-Security)
  • Private mailing list
  • Private bug tracker instance
  • Security notification email address (security@openstack.org)
  • Web presence at (http://openstack.org/security)

The public mailing list will be open to anyone who wishes to participate. If participants wish to join the private list & bug tracker, they must make an application to join as the number of people with access to these private resources must necessarily be kept to a minimum. Applications will be approved with a simple majority vote of the current membership in much the same way as the Mozilla's Security Group.

The OSSG can only be successful with community involvement. As such, I recommend that a core of OpenStack community leaders, Rackspace specialists and security experts in the commercial and open source world start out as the seed of the OSSG, maintaining access to private resources. A set of those leaders have already been identified and we plan to add more before the Group officially starts.

There is lots of work to be done. As we build membership in the OSG, we'll need to tackle the following tasks to start:

  • Charter and Governance Model
  • Membership Policy
  • Voting Policy
  • Vulnerability Disclosure Policy
  • Responsible Disclosure Guidelines

When possible, all discussions will be undertaken on the public mailing list. The private list will be used for vulnerability discussion & classification (MSA/CVE). I welcome all comments and participation from the community. This effort cannot be driven solely by Rackspace, I need your help.

Retrieved from "https://wiki.openstack.org/w/index.php?title=Governance/Proposed/OpenStack_Security_Group&oldid=10650"