-
Notifications
You must be signed in to change notification settings - Fork 38
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #449 from LiZhenCheng9527/add-securityTeam
Added provision for joining the security team
- Loading branch information
Showing
3 changed files
with
73 additions
and
0 deletions.
There are no files selected for viewing
27 changes: 27 additions & 0 deletions
27
community/security/comms-templates/join-announcement-email-list.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| _Use this email template for applying for membership of kurator-security@googlegroups.com._ | ||
|
|
||
| TO: `kurator-security@googlegroups.com` | ||
|
|
||
| SUBJECT: `Distributors Application` | ||
|
|
||
| _See [Private distributors list](https://github.com/kurator-dev/kurator/community/security/private-distributors-list.md#request-to-join) for additional places the request could be posted._ | ||
|
|
||
| --- | ||
|
|
||
| ## **Please answer the following questions and provide supporting evidence for meeting the [membership criteria](https://github.com/kurator-dev/kurator/community/security/private-distributors-list.md#membership-criteria).** | ||
|
|
||
| ### 1. **Actively monitored security email alias for our project:** | ||
|
|
||
| ### 2. **Have a user base not limited to your own organization.** | ||
|
|
||
| ### 3. **Have a publicly verifiable track record up to present day of fixing security issues.** | ||
|
|
||
| ### 4. **Not be a downstream or rebuild of another distribution.** | ||
|
|
||
| ### 5. **Be a participant and active contributor in the community.** | ||
|
|
||
| ### 6. **Accept the [Embargo Policy](https://github.com/kurator-dev/kurator/community/security/private-distributors-list.md#embargo-policy).** | ||
|
|
||
| ### 7. **Be willing to [contribute back](https://github.com/kurator-dev/kurator/community/security/private-distributors-list.md#contributing-back).** | ||
|
|
||
| ### 8. **Have someone already on the list vouch for the person requesting membership on behalf of your distribution.** |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| ## Private Distributors List | ||
|
|
||
| This list is used to provide actionable information to multiple distribution vendors at once. This list is not intended for individuals to find out about security issues. | ||
|
|
||
| ### Embargo Policy | ||
|
|
||
| Members of the security [kurator-security@googlegroups.com](mailto:kurator-security@googlegroups.com) mailing list must share list information only within their teams, on a need-to-know basis to get the related issue fixed in their distribution. The information members and others receive from the list must not be made public, shared, nor even hinted at otherwise, except with the list's explicit approval. This holds true until the public disclosure date/time that was agreed upon by the list. | ||
|
|
||
| Before any information from the list is shared with respective members of your team required to fix an issue, they must agree to the same terms and only find out information on a need-to-know basis. | ||
|
|
||
| In the unfortunate event you share the information beyond what is allowed by this policy, you **must** urgently inform [the Security Team](mailto:kurator-security@googlegroups.com) of exactly what information leaked and to whom, as well as the steps that will be taken to prevent future leaks. | ||
|
|
||
| Repeated offenses may lead to the removal from the distributors list. | ||
|
|
||
| ### Contributing Back | ||
|
|
||
| This is a team effort. As a member of the list you must carry some water. This | ||
| could be in the form of the following: | ||
|
|
||
| - Review and/or test the proposed patches and point out potential issues with | ||
| them (such as incomplete fixes for the originally reported issues, additional | ||
| issues you might notice, and newly introduced bugs), and inform the list of the | ||
| work done even if no issues were encountered. | ||
|
|
||
| ### Membership | ||
|
|
||
| Group membership is managed [here](security-groups.md). | ||
|
|
||
| ### Membership Criteria | ||
|
|
||
| To be eligible for the [kurator-security@googlegroups.com](mailto:kurator-security@googlegroups.com) mailing list, your distribution should: | ||
|
|
||
| 1. Have an actively monitored security email alias for our project. | ||
| 2. Have a user base not limited to your own organization. | ||
| 3. Have a publicly verifiable track record up to present day of fixing security issues. | ||
| 4. Not be a downstream or rebuild of another distribution. | ||
| 5. Be a participant and active contributor in the Kurator community. | ||
| 6. Accept the Embargo Policy that is outlined above. | ||
| 7. Be willing to contribute back. | ||
| 8. Have someone already on the list vouch for the person requesting membership on behalf of your distribution. | ||
|
|
||
| **Removal**: If your distribution stops meeting one or more of these criteria after joining the list then you will be unsubscribed. | ||
|
|
||
| ### Request to Join | ||
|
|
||
| File an issue [here](https://github.com/kurator-dev/kurator/issues/new/choose), or send an [email](comms-templates/join-announcement-email-list.md), filling in the criteria template. |