-
Notifications
You must be signed in to change notification settings - Fork 575
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating Export Control Guidance #290
Comments
We request the LF Legal team to vet the current SRC process [1] and update the LF/CNCF guidance, specifically, we want to know if the process SRC documented has any implications for folks in companies that are in the Export Administration Regulations Entity List. Currently these folks may be: Case 1: A reporter of security related issues using the security mailing list requests status on their reported issue. Project investigation has subsequently led to a ripple of additional security vulnerability content in additional project(s), which are not yet public and may never fully be public. Is replying with detailed status (eg: the other project, other CVE code files/lines, proof-of-concept exploit) an export of a controlled class of information to a controlled entity? Case 2: A member of the private distributors list [2] who are under embargo, receives detailed pre-disclosure of a new CVE. With controlled entities on the private distributors list is the SRC exposed to claims of an export of a controlled class of information to a controlled entity? [3]. Case 3: A reporter is privately collaborating with SRC in private conversation around investigation, test code, proof-of-concept experimentation which is never subsequently publicly shared on the internet. Does this conversation represent SRC export of a controlled class of information to a controlled entity? Thanks, [1] https://github.com/kubernetes/committee-security-response/blob/main/security-release-process.md |
Any update on this @caniszczyk ? |
Still a WIP, a new draft is with our legal folks, needs a bit more time.
…On Fri, Mar 25, 2022 at 6:28 PM Davanum Srinivas ***@***.***> wrote:
Any update on this @caniszczyk <https://github.com/caniszczyk> ?
—
Reply to this email directly, view it on GitHub
<#290 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAPSIOIL6H6W4B56ILUAYDVBXZTJANCNFSM5M3SZDTQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Cheers,
Chris Aniszczyk
https://aniszczyk.org
|
UPDATE: @mkdolan has had an initial discussion with some folks from the Kubernetes Security Response Team today and walked through processes that has been documented by SRC. Next step is to set up a call with Mishi Choudhary hopefully the week of April 25th. |
The Kubernetes SC has requested that the LF look at updating our guidance on export control in relation to the kubernetes security disclosure process and security disclosure in particular:
https://www.linuxfoundation.org/tools/understanding-us-export-controls-with-open-source-projects/
The goal output here would be an update to the above document based on any input through the exercise.
The text was updated successfully, but these errors were encountered: