(This is a call for votes, but only from members of the Governing Board.) I hereby propose the creation of the Vulnerability Group, with Andrew Gross as the initial Lead.
This Group will be a secure, private forum in which trusted members of the OpenJDK Community can receive reports of vulnerabilities in OpenJDK code bases, review them, collaborate on fixing them, and coordinate the release of such fixes. This Group will be unusual in several respects, due to the sensitive nature of its work: Membership will be more selective, there will be a strict communication policy, and members (or their employers) will need to sign a non-disclosure and license agreement. These requirements do, strictly speaking, violate the OpenJDK Bylaws. Per our past discussions, however, I trust that Governing Board members will approve the creation of the Group with these exceptional requirements. The detailed proposal for the Group is here: http://cr.openjdk.java.net/~mr/ojvg/ The non-disclosure and license agreement (NDLA) is here: http://cr.openjdk.java.net/~mr/ojvg/ojvg-ndla-2018-01-30.pdf The proposed initial Lead of the Vulnerability Group is Andrew Gross, who leads Oracle's internal Java Vulnerability Team. Andrew has over 25 years experience in computer security including discovering and fixing vulnerabilities, performing forensic analyses, tracking intruders, and assisting government and law enforcement. He holds a Ph.D. in electrical engineering from the University of California at San Diego. The suggested list of initial Group Members is: Martin Balao (Red Hat) Aaron Bedra Tasha Carl Paul Cheeseman (IBM) John Coomes (Twitter) Andrew Gross (Oracle) Andrew Haley (Red Hat) Frances Ho (Oracle) Paul Hohensee (Amazon) Andrew Hughes (Red Hat) Bernd Mathiske (Amazon) Ramki Ramakrishna (Twitter) Mark Reinhold (Oracle) Simon Ritter (Azul) Volker Simonis (SAP) Gil Tene (Azul) Dalibor Topic (Oracle) Jesper Wilhelmsson (Oracle) (Organizational affiliations are not normally relevant when proposing a new Group; they are shown here to demonstrate that a broad cross-section of downstream maintainers will be represented.) Only current Governing Board Members [1] are eligible to vote on this motion. Votes must be cast in the open by replying to this mailing list. Votes are due in two weeks, by 23:00 UTC on Wednesday, 14 March [2]. For Simple Majority voting instructions, see [3]. - Mark [1] http://openjdk.java.net/census#gb [2] https://time.is/2300_14_Mar_2018_in_UTC/GMT/EST/PST?OJVG_votes_due [3] http://openjdk.java.net/groups/#new-group-vote