Hi Mark, On Thu, 10 Oct 2024 at 17:06, Mark Thomas <ma...@apache.org> wrote: > My initial proposal is that PMCs are encouraged to maintain a contact > list with ASF ID, name and mobile phone number for each PMC member / > security team member. It could be stored in the PMC private svn repo. > > The intention is that it would only be used if email was unavailable or > if people needed to told that they urgently needed to pay attention to > the security@ or private@ list.
I would have nothing against it if my mobile phone number was on some shared contact list available to the ASF Security Team members. We usually answer very fast to security reports (usually within 24 hours), but to improve and better coordinate the response, Christian, Volkan and I came with a draft for our security response rules: 1. The burden of coordinating answers to security reports falls upon the PMC chair. Within 24 hours from the report a discussion must be initiated on either the `private@` or the private Slack channel. 2. The PMC chair designates a deputy that watches `security@` in his absence. The chair will notify the deputy of his absences (vacations, workations, etc.), so the absence of the chair should not cause any delays. 3. If the security report is a security issue and it is critical, the PMC members agree to perform a fast (24 hours) release vote at this stage. 4. All the patches to solve a vulnerability must circulate on private channels. 5. Among all the solutions to a vulnerability, the removal of an issue should be considered first and a patch should be ready. 6. If nobody comes with a proper solution, the "remove feature" patch should be applied. 7. The release vote should start shortly after the patch has been submitted to a public repository and can be shortened to 24 hours if the PMC agreed in point 3. Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
