From 6d33e553061f6c6560af8060445ca436142ff8a1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 18 Nov 2024 10:54:04 +1000 Subject: [PATCH] doc: SRT administrative processes --- README.md | 7 +-- docs/README.md | 10 ++++ docs/call-for-volunteers-example.md | 64 ++++++++++++++++++++++++ docs/membership.md | 76 +++++++++++++++++++++++++++++ docs/reports.md | 50 +++++++++++++++++++ 5 files changed, 201 insertions(+), 6 deletions(-) create mode 100644 docs/README.md create mode 100644 docs/call-for-volunteers-example.md create mode 100644 docs/membership.md create mode 100644 docs/reports.md diff --git a/README.md b/README.md index 47064f9..ec9074f 100644 --- a/README.md +++ b/README.md @@ -131,12 +131,7 @@ The above [TOML] "front matter" is followed by the long description in [Markdown ## Current Members -- [Tristan de Cacqueray](mailto:tristan.cacqueray@gmail.com) -- [Gautier Di Folco](mailto:gautier.difolco@gmail.com) -- [Mihai Maruseac](mailto:mihai.maruseac@gmail.com) -- [Casey Mattingly](mailto:case@capsulecorp.org) -- [David Thrane Christiansen](mailto:david@haskell.foundation) -- [Fraser Tweedale](mailto:frase@frase.id.au) +Please see [Current members](./docs/membership.md). ## Processes diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000..2516f06 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,10 @@ +# Haskell Security Response Team documentation + +The files in the directory document the functional and +administrative processes of the Haskell Security Response Team. + +- [SRT membership processes](./membership.md) +- [Quarterly reports](./reports.md) + +Documentation for our tools, libraries and the advisory source +format live in the `code/` directory of the main repo. diff --git a/docs/call-for-volunteers-example.md b/docs/call-for-volunteers-example.md new file mode 100644 index 0000000..52d218b --- /dev/null +++ b/docs/call-for-volunteers-example.md @@ -0,0 +1,64 @@ +**(PREAMBLE)** + +The Security Response Team (SRT) is formally calling for +applications to join the SRT. People from the Haskell community +with information security experience are encouraged to apply. This +is an opportunity to have a large impact on the practice of Haskell +programming going forward. If you have an interest in helping the +team continue its mission, please apply! + +## Security Response Team responsibilities + +The general responsibilities of the SRT are: + +- Manage the Haskell Security Advisory Database, on behalf of the + Haskell community and the Haskell Foundation. +- Triage and assess incoming security reports or proposed/candidate + security advisories. +- Assist reporters to determine CVSS scores and CWE values for + confirmed security issues. +- Communicate with package maintainers and the community to promote + the timely resolution of reported security issues. +- Ensure the security advisory data are useful for downstream + security tooling. (Development of downstream tooling is not an SRT + responsibility, but engaging with the developers is) +- Report quarterly on the activities of the SRT and + statistics/trends in new security issues. + +## How can you help? + +- You can apply. +- If you don’t want to apply but know someone who would be great, + encourage them to apply. +- Applicants should have experience in one or more of the following + areas: + - web application security + - information security incident response + - vulnerability research and analysis + - penetration testing + - cryptography + - authentication and identity management + - governance, risk management and compliance (GRC) + - secure application development + - algorithms, data structures, and their role in DoS attacks + - related disciplines + +## Who is involved? + +The current membership of the SRT is: + +- ***(CURRENT MEMBERS)*** + +The team is hoping to gain ***(FILL ME)*** new members via this call +for volunteers. + +## How to apply + +Email ***(DELEGATE )*** with subject ***Haskell SRT +Application***. Include a brief overview of your background in +security and the specific topics (e.g. from the list above) with +which you have experience. + +## Deadline + +Please submit your applications by end of day ***(DEADLINE)***. diff --git a/docs/membership.md b/docs/membership.md new file mode 100644 index 0000000..5779d1e --- /dev/null +++ b/docs/membership.md @@ -0,0 +1,76 @@ +# SRT members and membership processes + +## Current members + +- Fraser Tweedale (SRT project leader; 2023-05–) +- Gautier Di Folco (2023-05–) +- Lei Zhu (2024-10–) +- Mihai Maruseac (2023-05–) +- Montez Fitzpatrick (2024-10–) +- Tristan de Cacqueray (2023-05–) + +## Former members + +We thank past members for their valuable contributions! + +- Casey Mattingly (2023-05–2024-06) + +## Member onboarding (and offboarding) + +There are some necessary tasks when members join or leave the SRT. +These are: + +- Update the member lists in this document. + +- Add (or remove) the member from the + `security-advisories[at]haskell.org` mailing list. Contact the + [Haskell Infrastructure Admins][haskell-infra] for assistance. + +- Add (or remove) the member from the VINCE group, if they are + participating in that capacity. + +- Update the member list at https://www.haskell.org/security/. + By pull request against + [https://github.com/haskell-infra/www.haskell.org/](haskell-infra/www.haskell.org). + +- Announce the membership change(s) on [Discourse]. Usually this + could be included in the quarterly report. + +[haskell-infra]: https://github.com/haskell-infra/haskell-admins +[Discourse]: https://discourse.haskell.org/ + + +## Running a Call for Volunteers + +To fill vacancies or grow the SRT, run a *Call for Volunteers*. +The following is a rough guide on how we do that. + +- For previous calls, we appointed an SRT member to receive the + applications (to their personal email address). + +- *After applications close*, they compile the applications and + share with the rest of the SRT for review. We start a voting + thread on the mailing list, each member states their preferred + applicant(s) with summary reasons, and we reach a consensus. This + process has worked well, so far. + +- See [example content](call-for-volunteers-example.md). There are + some placeholders to be filled. The content can be modified as + needed. + +- Publish the call on [Discourse] and promote it in the logical ways + (e.g. Haskell Foundation social media, r/haskell, etc). + +- The application period should be about 4 weeks. Bump and do + another burst of promotion at the halfway point. + +- After the application deadline, the full SRT membership reviews + the proposals and selects the new member(s). + +- Notify the successful applicant(s) and seek their affirmation that + they are prepared to join the SRT. + +- Notify unsuccessful applicants before public announcement of the + outcome. + +- Commence onboarding and notify the community of the outcome. diff --git a/docs/reports.md b/docs/reports.md new file mode 100644 index 0000000..2eb9b9d --- /dev/null +++ b/docs/reports.md @@ -0,0 +1,50 @@ +# SRT reporting + +The SRT is to report each quarter to update the community on the +activities and plans of the SRT. + +## Who should write the report? + +The SRT project lead prepares the report (though the task could be +delegated with sufficient notice). It is a good idea to gather +items for the report through the reporting period, so you don't +forget anything significant. + +## Publishing reports + +The canonical version of each report is committed to this repo under +`/reports/`. + +Each report should also be republished on [Discourse], and added to +the list of reports at https://www.haskell.org/security/ (file a +pull request against +[https://github.com/haskell-infra/www.haskell.org/](haskell-infra/www.haskell.org)). + +Reports for the previous quarter should generally be published in +the first few weeks following that quarter. In some cases we have +delayed a report to include significant new developments, e.g. the +result of a *Call for Volunteers*. + +[Discourse]: https://discourse.haskell.org/ + +## Report content + +Each report should contain: + +- A preamble explaining what the SRT is and who are its members + (just copy the preamble from the previous report). + +- Statistics about the number of contemporary and historical + advisories added to the advisory database during the reporting + period. Also mention any new or outstanding HSEC ID reservations + (for embargoed issues), and any other significant updates to the + **content** of the advisory DB. + +- Discussion of any significant security incidents during the + reporting period that impacted Haskell infrastructure, the + toolchain, or the library ecosystem. + +- Mention of notable updates to SRT-owned tools and libraries, and + related developments in downstream tooling. + +- Any other news related to Haskell ecosystem security.