-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b0109f9
commit 6d33e55
Showing
5 changed files
with
201 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -131,12 +131,7 @@ The above [TOML] "front matter" is followed by the long description in [Markdown | |
|
||
## Current Members | ||
|
||
- [Tristan de Cacqueray](mailto:[email protected]) | ||
- [Gautier Di Folco](mailto:[email protected]) | ||
- [Mihai Maruseac](mailto:[email protected]) | ||
- [Casey Mattingly](mailto:[email protected]) | ||
- [David Thrane Christiansen](mailto:[email protected]) | ||
- [Fraser Tweedale](mailto:[email protected]) | ||
Please see [Current members](./docs/membership.md). | ||
|
||
## Processes | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Haskell Security Response Team documentation | ||
|
||
The files in the directory document the functional and | ||
administrative processes of the Haskell Security Response Team. | ||
|
||
- [SRT membership processes](./membership.md) | ||
- [Quarterly reports](./reports.md) | ||
|
||
Documentation for our tools, libraries and the advisory source | ||
format live in the `code/` directory of the main repo. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
**(PREAMBLE)** | ||
|
||
The Security Response Team (SRT) is formally calling for | ||
applications to join the SRT. People from the Haskell community | ||
with information security experience are encouraged to apply. This | ||
is an opportunity to have a large impact on the practice of Haskell | ||
programming going forward. If you have an interest in helping the | ||
team continue its mission, please apply! | ||
|
||
## Security Response Team responsibilities | ||
|
||
The general responsibilities of the SRT are: | ||
|
||
- Manage the Haskell Security Advisory Database, on behalf of the | ||
Haskell community and the Haskell Foundation. | ||
- Triage and assess incoming security reports or proposed/candidate | ||
security advisories. | ||
- Assist reporters to determine CVSS scores and CWE values for | ||
confirmed security issues. | ||
- Communicate with package maintainers and the community to promote | ||
the timely resolution of reported security issues. | ||
- Ensure the security advisory data are useful for downstream | ||
security tooling. (Development of downstream tooling is not an SRT | ||
responsibility, but engaging with the developers is) | ||
- Report quarterly on the activities of the SRT and | ||
statistics/trends in new security issues. | ||
|
||
## How can you help? | ||
|
||
- You can apply. | ||
- If you don’t want to apply but know someone who would be great, | ||
encourage them to apply. | ||
- Applicants should have experience in one or more of the following | ||
areas: | ||
- web application security | ||
- information security incident response | ||
- vulnerability research and analysis | ||
- penetration testing | ||
- cryptography | ||
- authentication and identity management | ||
- governance, risk management and compliance (GRC) | ||
- secure application development | ||
- algorithms, data structures, and their role in DoS attacks | ||
- related disciplines | ||
|
||
## Who is involved? | ||
|
||
The current membership of the SRT is: | ||
|
||
- ***(CURRENT MEMBERS)*** | ||
|
||
The team is hoping to gain ***(FILL ME)*** new members via this call | ||
for volunteers. | ||
|
||
## How to apply | ||
|
||
Email ***(DELEGATE <EMAIL@ADDRESS>)*** with subject ***Haskell SRT | ||
Application***. Include a brief overview of your background in | ||
security and the specific topics (e.g. from the list above) with | ||
which you have experience. | ||
|
||
## Deadline | ||
|
||
Please submit your applications by end of day ***(DEADLINE)***. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
# SRT members and membership processes | ||
|
||
## Current members | ||
|
||
- Fraser Tweedale (SRT project leader; 2023-05–) | ||
- Gautier Di Folco (2023-05–) | ||
- Lei Zhu (2024-10–) | ||
- Mihai Maruseac (2023-05–) | ||
- Montez Fitzpatrick (2024-10–) | ||
- Tristan de Cacqueray (2023-05–) | ||
|
||
## Former members | ||
|
||
We thank past members for their valuable contributions! | ||
|
||
- Casey Mattingly (2023-05–2024-06) | ||
|
||
## Member onboarding (and offboarding) | ||
|
||
There are some necessary tasks when members join or leave the SRT. | ||
These are: | ||
|
||
- Update the member lists in this document. | ||
|
||
- Add (or remove) the member from the | ||
`security-advisories[at]haskell.org` mailing list. Contact the | ||
[Haskell Infrastructure Admins][haskell-infra] for assistance. | ||
|
||
- Add (or remove) the member from the VINCE group, if they are | ||
participating in that capacity. | ||
|
||
- Update the member list at https://www.haskell.org/security/. | ||
By pull request against | ||
[https://github.com/haskell-infra/www.haskell.org/](haskell-infra/www.haskell.org). | ||
|
||
- Announce the membership change(s) on [Discourse]. Usually this | ||
could be included in the quarterly report. | ||
|
||
[haskell-infra]: https://github.com/haskell-infra/haskell-admins | ||
[Discourse]: https://discourse.haskell.org/ | ||
|
||
|
||
## Running a Call for Volunteers | ||
|
||
To fill vacancies or grow the SRT, run a *Call for Volunteers*. | ||
The following is a rough guide on how we do that. | ||
|
||
- For previous calls, we appointed an SRT member to receive the | ||
applications (to their personal email address). | ||
|
||
- *After applications close*, they compile the applications and | ||
share with the rest of the SRT for review. We start a voting | ||
thread on the mailing list, each member states their preferred | ||
applicant(s) with summary reasons, and we reach a consensus. This | ||
process has worked well, so far. | ||
|
||
- See [example content](call-for-volunteers-example.md). There are | ||
some placeholders to be filled. The content can be modified as | ||
needed. | ||
|
||
- Publish the call on [Discourse] and promote it in the logical ways | ||
(e.g. Haskell Foundation social media, r/haskell, etc). | ||
|
||
- The application period should be about 4 weeks. Bump and do | ||
another burst of promotion at the halfway point. | ||
|
||
- After the application deadline, the full SRT membership reviews | ||
the proposals and selects the new member(s). | ||
|
||
- Notify the successful applicant(s) and seek their affirmation that | ||
they are prepared to join the SRT. | ||
|
||
- Notify unsuccessful applicants before public announcement of the | ||
outcome. | ||
|
||
- Commence onboarding and notify the community of the outcome. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# SRT reporting | ||
|
||
The SRT is to report each quarter to update the community on the | ||
activities and plans of the SRT. | ||
|
||
## Who should write the report? | ||
|
||
The SRT project lead prepares the report (though the task could be | ||
delegated with sufficient notice). It is a good idea to gather | ||
items for the report through the reporting period, so you don't | ||
forget anything significant. | ||
|
||
## Publishing reports | ||
|
||
The canonical version of each report is committed to this repo under | ||
`/reports/`. | ||
|
||
Each report should also be republished on [Discourse], and added to | ||
the list of reports at https://www.haskell.org/security/ (file a | ||
pull request against | ||
[https://github.com/haskell-infra/www.haskell.org/](haskell-infra/www.haskell.org)). | ||
|
||
Reports for the previous quarter should generally be published in | ||
the first few weeks following that quarter. In some cases we have | ||
delayed a report to include significant new developments, e.g. the | ||
result of a *Call for Volunteers*. | ||
|
||
[Discourse]: https://discourse.haskell.org/ | ||
|
||
## Report content | ||
|
||
Each report should contain: | ||
|
||
- A preamble explaining what the SRT is and who are its members | ||
(just copy the preamble from the previous report). | ||
|
||
- Statistics about the number of contemporary and historical | ||
advisories added to the advisory database during the reporting | ||
period. Also mention any new or outstanding HSEC ID reservations | ||
(for embargoed issues), and any other significant updates to the | ||
**content** of the advisory DB. | ||
|
||
- Discussion of any significant security incidents during the | ||
reporting period that impacted Haskell infrastructure, the | ||
toolchain, or the library ecosystem. | ||
|
||
- Mention of notable updates to SRT-owned tools and libraries, and | ||
related developments in downstream tooling. | ||
|
||
- Any other news related to Haskell ecosystem security. |