...
- Every project to have a security representative. ~~ proposed and approved by the TSC.
- For the purpose of this proposal, only the CVEs crossing certain (i.e. score >= 7) threshold are considered. Projects to address CVEs in 90 days of them reported.
- Goals:
- Avoid high profile/severity vulnerabilities that are trivial and easy to exploit.
- Proposal:
- Every project will be issued a badge for best practice in CVE addressing when they incubate. The CVE best practices badge is reviewed every quarter, TSC may make a decision to revoke the badge in case if the project is not complying to the requirements.
- A question will be introduced in the quarterly reports, that each project shall answer. The question would be to understand if there were high severity CVEs (i.e. score >= 7) is unaddressed beyond 90 days in the previous quarter. "Does your project have any CVEs with score 7 or more reported and unaddressed for 90 days or more in the previous quarter? If yes, please list the CVEs."
- Reconsider: The requirement is that a project does not have the high severity CVE (i.e. score >= 7) unaddressed for more than 90 days. If a project fails to do so, maintainers shall give a statement or the reason for such delay and get 30 days extension. There are can 2 such extensions in total. In total if high severity CVEs (with score >= 7) are still unaddressed at the end of 150 days, TSC can vote to revoke the CVE best practices badge. This is difficult for projects like Aries.
- Collect the data instead of showcasing the badges, this will allow for better visualization of how good a project is from the security standpoint.
- Mandatory release policy post minimum number of days.
- The revocation period of CVE best practices badge is 6 months. A project shall re-apply through the TSC voting and show that the best practices are followed for the last 6 months.
- Goals: