Gaps between guidance and implementation for CSVD

Guidance comes from Guide to implementing a coordinated vulnerability disclosure process for open source projects.

Current implementation comes from the Security wiki space, mostly

The TSC asked on 30-SEP-2021 for some documentation of where we are, where we should be, and how we might get there.

Proposals:

  1. OSSF provides a sample security.md which I propose the TSC adopt, which would replace all existing SECURITY.md files across Hyperledger, as it is simple. The current security@hyperledger email alias would be directly used; currently that is redirected to a list which has members from several projects.
  2. Fabric uses HackerOne for intake as well. I propose expanding that program to include all graduated projects; this will require funding from the GB, as currently the only funds in HackerOne are DF from IBM.
  3. OSSF provides a GitHub app, AllStar. I propose to enable this for all GitHub orgs, with the provisio that it is only enforced for repos connected to a graduated project.
  4. I propose that proposal 3 is encouraged, but not required, for projects moving into the incubation state, regardless of inbound direction.