vincbeck commented on code in PR #30960: URL: https://github.com/apache/airflow/pull/30960#discussion_r1188663404
########## .github/SECURITY.rst: ########## @@ -52,3 +52,69 @@ before disclosing it publicly. The `ASF Security team's page <https://www.apache.org/security/>`_ describes how vulnerability reports are handled, and includes PGP keys if you wish to use that. + + +Handling security issues in Airflow +----------------------------------- + +The security issues in Airflow are handled by the Airflow Security Team. The team consists +of selected PMC members that are interested in looking at, discussing about and fixing the +security issues, but it can also include committers and non-committer contributors that are +not PMC members yet and have been approved by the PMC members in a vote. You can request to +be added to the team by sending a message to [email protected], however, the team +should be small and focused on solving security issues, so the requests will be evaluated +on-case-by-case and the team size will be kept relatively small, limited to only actively +security-focused contributors. + +There are certain expectations from the members of the security team: + +* They are supposed to be active in assessing, discussing, fixing and releasing the + security issues in Airflow. While it is perfectly understood that as volunteers, we might have + periods of lower activity, prolonged lack of activity and participation will result in removal + from the team, pending PMC decision (the decision on removal can be taken by LAZY CONSENSUS among + all the PMC members on [email protected] mailing list). + +* They are not supposed to reveal the information about pending and unfixed security issues to anyone + (including their employers) unless specifically authorised by the security team members, specifically + if diagnosing and solving the issue might involve the need of external experts - for example security + experts that are available through Airflow stakeholders. The intent about involving 3rd parties has + to be discussed and agreed up at [email protected]. + +* They have to have an `ICLA <https://www.apache.org/licenses/contributor-agreements.html>`_ signed with + Apache Software Foundation. + +* The security team members might inform 3rd parties about fixes, for example in order to asses if the fix Review Comment: ```suggestion * The security team members might inform 3rd parties about fixes, for example in order to assess if the fix ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
