2021-12-13 Meeting Minutes
Hyperledger is committed to creating a safe and welcoming community for all. For more information please visit the Hyperledger Code of Conduct. |
|---|
Zoom Link: https://zoom.us/j/97240941339
Welcome and Introductions
Who you are, which project you represent, your role in the project and what your interest is in the Hyperledger security process effort.
Attendees
@Ry Jones
@Danno Ferrin
@Hart Montgomery
@Arun S M
@Peter Somogyvari
@Arnaud J LE HORS
@Cam Parra
@Bruno Vavala
Announcements
Prior work: Replay the 2021 11 18 TSC Meeting Record
Agenda
Welcome
Review the document proposed by Ry https://lf-hyperledger.atlassian.net/wiki/display/TF/Gaps+between+guidance+and+implementation+for+CSVD
Survey & feedback from project teams.
Frequency and period of task force.
Set goals for the task force.
Define expectations.
Define timelines and deliverables, actionable items.
Open agenda
Next Meeting
Future Topics
Notes
To address:
Key contact points from each of the project.
Check if the reported issue is a vulnerability/CVE.
What if the reporter is from within the project.
Follow up with maintainers, what happened to the issue that was raised?
Do not use mailing list as it is functional today.
Suggestions:
Establish a process for reporting CVEs.
Make use of GitHub CVE reporting feature to auto notify dependent projects.
Survey while feeding in new issues ~ justify.
Do calculate the score - questionnaire based report is not sufficient.
Notify the third party (outside the project with familiarity of the reported issue). Consider reporter given their research motives.
Use HackerOne as proposed in Gaps between guidance and implementation for CSVD - increase participation. Ask GB to sponsor.
Process for auditing reported issues.
In case of reporter is a member of the project team, create a checklist for members to follow to create a trace that provides auditability of what was done.
Gap in OpenSSF
Goal: provide feedback to OpenSSF so that their guidelines can be improved
Action items
Recordings