2022-02-25 Meeting Minutes
Hyperledger is committed to creating a safe and welcoming community for all. For more information please visit the Hyperledger Code of Conduct. |
|---|
Welcome and Introductions
Who you are, which project you represent, your role in the project and what your interest is in the Hyperledger security process effort.
Attendees
@Arun S M
@Ryan Lee
@Hart Montgomery
@Mic Bowman
@Weihong Ou
@Danno Ferrin
@Vikram Sharma (Deactivated)
@Peter Somogyvari (Deactivated)
@Deepika Karanji
Announcements
Agenda
Welcome
Scoring guidelines for blockchain projects in Hyperledger Foundation.
Security threat modelling for blockchain technology.
Broader areas to focus
Infrastructure security.
Signing artefacts / binary distribution.
Review comments/discussions on https://github.com/ossf/security-reviews
Review scorecard from OpenSSF https://github.com/ossf/scorecard.
Review checklist for reporting vulnerabilities. Covers both the project team and an external member.
Open agenda
Next Meeting
Future Topics
Notes
Processes are secure ~ development, distribution.
Process to report security issues at Hyperledger.
Threat modelling
Define boundaries ~ infrastructure, networking, development.
How do we measure robustness
Suggestions such as attesting the build process.
Project's security review information, where to find them.
Define what how are security claims made in a project. State the assumptions made to claim the statement. Projects to have formal proof to the claims.
Articulate Human consumable definitions for the claims.
Reference https://eprint.iacr.org/2014/765.pdf to learn how is it done for Bitcoin network.
Breaking the task force into multiple work streams.
Projects handling the security reports ~ should TSC consider it as a metric to measure, define process to follow up on that.
Infrastructure related security measures may be influenced by LF policies.
Community hinted towards moving these to the LF charter.