Skip to content

Commit

Permalink
doc: SRT administrative processes
Browse files Browse the repository at this point in the history
  • Loading branch information
frasertweedale committed Nov 18, 2024
1 parent b0109f9 commit 6d33e55
Show file tree
Hide file tree
Showing 5 changed files with 201 additions and 6 deletions.
7 changes: 1 addition & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -131,12 +131,7 @@ The above [TOML] "front matter" is followed by the long description in [Markdown

## Current Members

- [Tristan de Cacqueray](mailto:[email protected])
- [Gautier Di Folco](mailto:[email protected])
- [Mihai Maruseac](mailto:[email protected])
- [Casey Mattingly](mailto:[email protected])
- [David Thrane Christiansen](mailto:[email protected])
- [Fraser Tweedale](mailto:[email protected])
Please see [Current members](./docs/membership.md).

## Processes

Expand Down
10 changes: 10 additions & 0 deletions docs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Haskell Security Response Team documentation

The files in the directory document the functional and
administrative processes of the Haskell Security Response Team.

- [SRT membership processes](./membership.md)
- [Quarterly reports](./reports.md)

Documentation for our tools, libraries and the advisory source
format live in the `code/` directory of the main repo.
64 changes: 64 additions & 0 deletions docs/call-for-volunteers-example.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
**(PREAMBLE)**

The Security Response Team (SRT) is formally calling for
applications to join the SRT. People from the Haskell community
with information security experience are encouraged to apply. This
is an opportunity to have a large impact on the practice of Haskell
programming going forward. If you have an interest in helping the
team continue its mission, please apply!

## Security Response Team responsibilities

The general responsibilities of the SRT are:

- Manage the Haskell Security Advisory Database, on behalf of the
Haskell community and the Haskell Foundation.
- Triage and assess incoming security reports or proposed/candidate
security advisories.
- Assist reporters to determine CVSS scores and CWE values for
confirmed security issues.
- Communicate with package maintainers and the community to promote
the timely resolution of reported security issues.
- Ensure the security advisory data are useful for downstream
security tooling. (Development of downstream tooling is not an SRT
responsibility, but engaging with the developers is)
- Report quarterly on the activities of the SRT and
statistics/trends in new security issues.

## How can you help?

- You can apply.
- If you don’t want to apply but know someone who would be great,
encourage them to apply.
- Applicants should have experience in one or more of the following
areas:
- web application security
- information security incident response
- vulnerability research and analysis
- penetration testing
- cryptography
- authentication and identity management
- governance, risk management and compliance (GRC)
- secure application development
- algorithms, data structures, and their role in DoS attacks
- related disciplines

## Who is involved?

The current membership of the SRT is:

- ***(CURRENT MEMBERS)***

The team is hoping to gain ***(FILL ME)*** new members via this call
for volunteers.

## How to apply

Email ***(DELEGATE <EMAIL@ADDRESS>)*** with subject ***Haskell SRT
Application***. Include a brief overview of your background in
security and the specific topics (e.g. from the list above) with
which you have experience.

## Deadline

Please submit your applications by end of day ***(DEADLINE)***.
76 changes: 76 additions & 0 deletions docs/membership.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# SRT members and membership processes

## Current members

- Fraser Tweedale (SRT project leader; 2023-05–)
- Gautier Di Folco (2023-05–)
- Lei Zhu (2024-10–)
- Mihai Maruseac (2023-05–)
- Montez Fitzpatrick (2024-10–)
- Tristan de Cacqueray (2023-05–)

## Former members

We thank past members for their valuable contributions!

- Casey Mattingly (2023-05–2024-06)

## Member onboarding (and offboarding)

There are some necessary tasks when members join or leave the SRT.
These are:

- Update the member lists in this document.

- Add (or remove) the member from the
`security-advisories[at]haskell.org` mailing list. Contact the
[Haskell Infrastructure Admins][haskell-infra] for assistance.

- Add (or remove) the member from the VINCE group, if they are
participating in that capacity.

- Update the member list at https://www.haskell.org/security/.
By pull request against
[https://github.com/haskell-infra/www.haskell.org/](haskell-infra/www.haskell.org).

- Announce the membership change(s) on [Discourse]. Usually this
could be included in the quarterly report.

[haskell-infra]: https://github.com/haskell-infra/haskell-admins
[Discourse]: https://discourse.haskell.org/


## Running a Call for Volunteers

To fill vacancies or grow the SRT, run a *Call for Volunteers*.
The following is a rough guide on how we do that.

- For previous calls, we appointed an SRT member to receive the
applications (to their personal email address).

- *After applications close*, they compile the applications and
share with the rest of the SRT for review. We start a voting
thread on the mailing list, each member states their preferred
applicant(s) with summary reasons, and we reach a consensus. This
process has worked well, so far.

- See [example content](call-for-volunteers-example.md). There are
some placeholders to be filled. The content can be modified as
needed.

- Publish the call on [Discourse] and promote it in the logical ways
(e.g. Haskell Foundation social media, r/haskell, etc).

- The application period should be about 4 weeks. Bump and do
another burst of promotion at the halfway point.

- After the application deadline, the full SRT membership reviews
the proposals and selects the new member(s).

- Notify the successful applicant(s) and seek their affirmation that
they are prepared to join the SRT.

- Notify unsuccessful applicants before public announcement of the
outcome.

- Commence onboarding and notify the community of the outcome.
50 changes: 50 additions & 0 deletions docs/reports.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# SRT reporting

The SRT is to report each quarter to update the community on the
activities and plans of the SRT.

## Who should write the report?

The SRT project lead prepares the report (though the task could be
delegated with sufficient notice). It is a good idea to gather
items for the report through the reporting period, so you don't
forget anything significant.

## Publishing reports

The canonical version of each report is committed to this repo under
`/reports/`.

Each report should also be republished on [Discourse], and added to
the list of reports at https://www.haskell.org/security/ (file a
pull request against
[https://github.com/haskell-infra/www.haskell.org/](haskell-infra/www.haskell.org)).

Reports for the previous quarter should generally be published in
the first few weeks following that quarter. In some cases we have
delayed a report to include significant new developments, e.g. the
result of a *Call for Volunteers*.

[Discourse]: https://discourse.haskell.org/

## Report content

Each report should contain:

- A preamble explaining what the SRT is and who are its members
(just copy the preamble from the previous report).

- Statistics about the number of contemporary and historical
advisories added to the advisory database during the reporting
period. Also mention any new or outstanding HSEC ID reservations
(for embargoed issues), and any other significant updates to the
**content** of the advisory DB.

- Discussion of any significant security incidents during the
reporting period that impacted Haskell infrastructure, the
toolchain, or the library ecosystem.

- Mention of notable updates to SRT-owned tools and libraries, and
related developments in downstream tooling.

- Any other news related to Haskell ecosystem security.

0 comments on commit 6d33e55

Please sign in to comment.