2021-12-13 Meeting Minutes

	Hyperledger is committed to creating a safe and welcoming community for all. For more information please visit the Hyperledger Code of Conduct.

Welcome and Introductions

Who you are, which project you represent, your role in the project and what your interest is in the Hyperledger security process effort.

Welcome
Review the document proposed by Ry https://lf-hyperledger.atlassian.net/wiki/display/TF/Gaps+between+guidance+and+implementation+for+CSVD
Survey & feedback from project teams.
Frequency and period of task force.
Set goals for the task force.
- Define expectations.
- Define timelines and deliverables, actionable items.
Open agenda

To address:
1. Key contact points from each of the project.
2. Check if the reported issue is a vulnerability/CVE.
3. What if the reporter is from within the project.
4. Follow up with maintainers, what happened to the issue that was raised?
5. Do not use mailing list as it is functional today.
Suggestions:
1. Establish a process for reporting CVEs.
2. Make use of GitHub CVE reporting feature to auto notify dependent projects.
3. Survey while feeding in new issues ~ justify.
  1. Do calculate the score - questionnaire based report is not sufficient.
  2. Notify the third party (outside the project with familiarity of the reported issue). Consider reporter given their research motives.
4. Use HackerOne as proposed in Gaps between guidance and implementation for CSVD - increase participation. Ask GB to sponsor.
5. Process for auditing reported issues.
6. In case of reporter is a member of the project team, create a checklist for members to follow to create a trace that provides auditability of what was done.
Gap in OpenSSF
1. Goal: provide feedback to OpenSSF so that their guidelines can be improved

Recordings

	File	Modified
Labels No labels Preview View	File TSC Security TF 2021 12 13.vtt	Dec 13, 2021 by Ry Jones
Labels No labels Preview View	Text File TSC Security TF 2021 12 13.txt	Dec 13, 2021 by Ry Jones

Download All