Many thanks to Ayush for volunteering! Anyone else? Note that handling vulnerabilities is of utmost importance to an Apache project. It is one of the four technical requirements established by ASF [1]. If there are not enough PMC members to handle CVEs the project can be taken down.
Best, Stamatis [1] https://www.apache.org/dev/project-requirements#technical On Wed, Sep 13, 2023 at 11:11 AM Ayush Saxena <ayush...@gmail.com> wrote: > > Hi Stamatis, > Thanx for starting the thread, I can volunteer as well. > > -Ayush > > On Tue, 12 Sept 2023 at 13:43, Stamatis Zampetakis <zabe...@gmail.com> wrote: > > > > Hey everyone, > > > > When someone discovers a potential security vulnerability for Hive (or > > any other Apache project) they can opt to inform the PMC of the > > project by following the ASF guidelines [1]. For Hive, the report > > should be sent to secur...@hive.apache.org. > > > > Next, the PMC follows the steps outlined in [2] to process the report > > and if it is deemed necessary release a fix for the vulnerability. > > > > In order to make the CVE process as smooth as possible and ensure that > > CVE reports are addressed in a timely manner I would like to introduce > > the notion of a "CVE mentor". > > > > The "CVE mentor" is the one responsible for bringing the reported CVE > > to completion ensuring that the steps in [2] are followed. They are > > the principal contact person between the reporter of the vulnerability > > and the PMC and the one who leads the discussions. The triage and fix > > can be done by the mentor or entrusted to a committer (ensuring of > > course that everything remains private till a fix is officially > > released). Given that we need to release a fix very soon after a > > vulnerability is fixed the mentor may also need to act as the release > > manager. Since the reports arrive in the private list the CVE mentor > > should be someone that has access to the security list (all PMC and > > few other individuals). > > > > However, for the idea to work we need a few people (preferably PMC) to > > volunteer for the role of the "CVE mentor". Then the volunteers can > > pick incoming CVE reports in a round robin fashion. Needless to say > > that since I am the one proposing it, I would like to be part of the > > list. > > > > Any additional thoughts or suggestions on how to improve this process > > are very welcomed. Also if you like the idea and want to volunteer > > please reply to this email to add yourself to the list. > > > > Best, > > Stamatis Zampetakis > > > > [1] https://www.apache.org/security/ > > [2] https://www.apache.org/security/committers.html#possible
