EditWYSIWYGAttachPrintable
r20 - 30 Mar 2006 - 06:03:49 - BenoitFauvelYou are here: TWiki >  Codev Web > TWikiCommunity > CoreTeam > CoreTeamRoles > SecurityTeam
Tags:
security 1 Add my vote for this tag, , create new tag

Security Team

Part of Task Summary Performed by
CoreTeamRoles Handle security alerts and their follow-up PeterThoeny, SvenDowideit, RichardDonkin, KennethLavrsen

Contacting the team

If you think you have discovered a security vulnerability, please email the security team's TWikiSecurityMailingList at this address: mailto:twiki-security@listsPLEASENOSPAM.sourceforge.net (twiki-security@lists.sourceforge.net). They will analyse the vulnerability and get back to you as soon as possible. Read also the TWikiSecurityAlertProcess.

  • NOTE: You don't need to subscribe to the twiki-security list! Only the SecurityTeam is on this list, but anyone can email to the team through the twiki-security email address. Please subscribe to the TWikiAnnounceMailingList to get notified of security alerts.

Please do not post a BugReport - once the team has analysed the problem, a less serious report may be dealt with via BugReport, but a critical fix must be distributed to TWiki site administrators before the issue is publicised as a BugReport and in security advisories.

Tasks on being notified of a vulnerability

  • The security team will act as follows:
    1. Attempt to discuss triage (i.e. prioritise alert action), but if necessary act alone
    2. Ensure security alerts are distributed as soon as possible but within the documented timeframe of the TWikiSecurityAlertProcess to give admins the chance to temporarily filter or take down vulnerable sites
    3. If possible, untar/fix/retar the offered downloadable distribution, so admins can get sites up again fast
    4. Ensure the proper fixing of the SVN versions (not do it, organise it)
  • The security team is supported by the SecurityTeamSupportGroup

Additional Responsibilities

-- Contributors: CrawfordCurrie, RichardDonkin, SamHasler, PeterThoeny

Discussion and Feedback

In a discussion in IRC started by RichardDonkin, it was agreed that TWiki needs a Security Triage Team to handle security alerts and their follow-up. The following people were nominated:

-- CrawfordCurrie - 25 Nov 2004

This is great - need some more detail on how this fits into TWikiSecurityAlertProcess, email lists to contact team, and so on.

UPDATE: Not sure why there's no 'create or coordinate patch creation for fix' as step 3 - surely a prelude to fixing the distros?

-- RichardDonkin - 25 Nov 2004

Should there be a mailto link on this topic and elsewhere (BugReport?) for reporting security issues in a consistent manner?

-- SamHasler - 26 Nov 2004

Yes, next email list to be set up is to report to triage team.

Triage team is a bit techie sounding, not sure if we need the 'triage' bit.

-- RichardDonkin - 26 Nov 2004

Renaming this to 'security team' to go with the terminology on TWikiSecurityAlertEmail.

The only remaining step is to create the security team list - this should be:

Name: TWiki Security Team
Email: twiki-security at lists.sourceforge.net

-- RichardDonkin - 27 Nov 2004

twiki-security@listsPLEASENOSPAM.sourceforge.net has been set up, as usual, it will take a few hours to be activated.

-- PeterThoeny - 27 Nov 2004

Some refactoring above to include mailto: link to new email address, and how / why to contact the security team. Just wanted something here since the alert email is going out now and includes a link to this page.

-- RichardDonkin - 28 Nov 2004

I'd like to suggest that the twiki-security list contains all people that have commit access to the twiki repository, as in DevelopBranch people and TWikiCore people

-- SvenDowideit - 29 Nov 2004

Good idea to have a slightly larger list of developers on the list, though the security team itself would be the ones responsible for triaging vulnerabilities - ideally would include people responsible for packaging TWiki for various OSs, e.g. Sven for TWikiOnDebian. The Mozilla Security model is an interesting one, see their Security Bugs Policy in particular as well as their Mozilla Security page.

I think that we might not invite very new additions to the committers list to the security list, unless they have been doing TWiki stuff for some time before that. This is just a hypothetical issue really, can't think of anyone this would apply to at the moment!

I've also put a note above explaining no need to join the list to send an alert. There is a handful of people who seem to be thinking this is the announcement list, which is why it might be better called twiki-security-team, but there aren't enough to make it worth changing the list name.

-- RichardDonkin - 10 Dec 2004

Richard volunteered to be on the security team. This is a very good fit since Richard has lots of experience in multiple platforms and internationalization smile

-- PeterThoeny - 15 Dec 2004

Due to lack of time and availability, resigned from the security team

-- ColasNahaboo - 27 Mar 2006

I am pleased to announce that KennethLavrsen has joint the Security Team. Please send a warm welcome to Kenneth! smile

-- PeterThoeny - 30 Mar 2006

 
BasicForm
TopicClassification TWikiCommunity
TopicSummary

InterestedParties

RelatedTopics CoreTeamRoles, TWikiSecurityMailingList, TWikiSecurityAlerts, TWikiSecurityAlertProcess, TWikiSecurityAlertEmail
Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r20 < r19 < r18 < r17 < r16 | More topic actions
Codev.SecurityTeam moved from Codev.SecurityTriageTeam on 27 Nov 2004 - 10:49 by RichardDonkin - put it back
 
Powered by TWiki
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback SourceForge.net Logo