Target completion date: Never expires
Keep our users safe
Respond quickly to security alerts received through the security mailing list or any other possible channel.
Maintain information confidential and avoid uncoordinated exposure that could harm our users (cf. SecurityAlertProcess
Trusted to be members of the security mailing list.
Evaluating the severity of the report.
Be able to make a decision to issue a patch release with needed fixes.
Just a note on achievements to date:
- Responded to all security alerts in a timely and effective manner over 2009
- Implemented new CSRF protection features
The association board
has a duty to establish the PrivacyPolicy
and will be looking to this team to help ensure it is implemented.
Kenneth, can we have a status update please?
- 09 Dec 2009
As Crawford correctly noted we have been responding to all security alerts in 2009 and will continue to do so.
When an alert comes in I am normally taking the initiative to get the problem characterized. I have been adjusting the team a couple of times during 2009. It is essential that people on the time are responsive and help with both evaluation, decisions and fixing. People who have not been able to be active in a period have been gently removed from the team and new have been added.
It is essential to understand that the security mailing list is only for the active security team members. You can not join the mailing list just to get early warnings about security issues. For a security team to be efficient and able to keep things secret it must be limited to a need-to-know based group.
I believe the current team has the right size. I will continue to dynamically adjust the team members so we have the right mix of skills and people who in this period of their lives have the time to prioritize urgent fixes in our code.
Remember that it is the responsibility of the entire development community to write code with security in mind and to prevent escaped security issues to reach the attackers before our users have had the time to patch their installations.
We often see people (non developers) trying to join the security mailing list. They misunderstand the purpose and think it is an announcement mailing list. To those that admin the mailing lists, let me take care of them. I send them a friendly No with a guidance to join the announcement mailing list instead.
I want to thank the development community for the incredible focus we have had on security in 2009. Foswiki has significantly raised the bar from a security perspective.
- 10 Dec 2009
This team is in need of a new team lead as Kenneth hasn't been seen on the project for a long time. Kenneth, are you still available? Or anybody else on the list: please step forward to take the lead. Thanks.
- 22 May 2013