Thoughts on SECURITY.md

[kenfinnigan]

Would the foundation require a central mechanism for being aware of vulnerabilities raised against a project?

I could see this being necessary for a few reasons:

• Ensuring initial response is provided within 48 hr window
• Coordination across multiple CF projects for the same vulnerability (such as log4j situation)

[ebullient]

Not out of the gate, and not unless projects agree this would be helpful. It also depends on who is involved (an all volunteer group of folks may not be able to push for 48 hour turnaround).

I can see Commonhaus projects working together if a broadly applicable situation like that arises. So I think this is a question that we would have to decide: how can the foundation best help? If we have funds, can we hire contractors? How do we balance vendor involvement + EU CRA or other requirements + volunteer effort?

[kenfinnigan]

That's reasonable, thanks

[Sanne]

I'd welcome it if some common infrastructure and help were available as opt-in, but perhaps in the spirit of the foundation individual projects should be able to have their own processes, especially if they already have something in place.

The coordination offer is also a nice-to-have, but I suppose that in some cases it's preferrable to honour the "need-to-know" principle and not involve other people unless they can in fact be of help.

This raises the question of reputation defense: should one project be more relaxed than others in responding to vulnerabilities, would other projects feel their reputation is being put at risk? I imagine this would be why other foundations impose strict protocols to all parties, but since it's one of the goals of this foundation to not impose many rules to its different members perhaps it would be better to structure things in such a way that the individual identity of different projects is clearly saparate from the others, in this sense of each to own its reputation.

[ebullient]

The templates are templates. There for projects that do not otherwise have their own. ;)

Size of the project and ability to respond to security issues is something we'd want to work with each project one on one. I think as long as the project sets a clear (and realistic) expectation for handling security issues, we can work the rest out, incuding how or if the foundation can help.

There is a lot here that will need to be figured out with practice and time.

[Sanne]

oh it's a template - great! sorry for the noise, I love it in that case.

[kenfinnigan]

Closing as resolved