/
Gaps between guidance and implementation for CSVD
Gaps between guidance and implementation for CSVD
- Ry Jones
Owned by Ry Jones
Nov 11, 2021
Guidance comes from Guide to implementing a coordinated vulnerability disclosure process for open source projects.
Current implementation comes from the Security wiki space, mostly
The TSC asked on 30-SEP-2021 for some documentation of where we are, where we should be, and how we might get there.
Proposals:
- OSSF provides a sample security.md which I propose the TSC adopt, which would replace all existing SECURITY.md files across Hyperledger, as it is simple. The current security@hyperledger email alias would be directly used; currently that is redirected to a list which has members from several projects.
- Fabric uses HackerOne for intake as well. I propose expanding that program to include all graduated projects; this will require funding from the GB, as currently the only funds in HackerOne are DF from IBM.
- OSSF provides a GitHub app, AllStar. I propose to enable this for all GitHub orgs, with the provisio that it is only enforced for repos connected to a graduated project.
- I propose that proposal 3 is encouraged, but not required, for projects moving into the incubation state, regardless of inbound direction.
, multiple selections available,
Related content
2020 03 20 DWG Agenda
2020 03 20 DWG Agenda
More like this
Task Force Recommendations
Task Force Recommendations
More like this
2020 03 06 DWG Agenda
2020 03 06 DWG Agenda
More like this
2021-06-28 Meeting notes
2021-06-28 Meeting notes
More like this
2021-12-13 Meeting Minutes
2021-12-13 Meeting Minutes
More like this
2023 - 11 - 14
2023 - 11 - 14
More like this