Overview

Recent events have shown that formal policies and processes need to be put in place for handling of security issues.  This spans the entire process, including but not limited to: reporting a bug, triage and risk assessment, implementing fixes, cutting releases, and making announcements.  The plan is to form a group to discuss and draft these policies/processes and present them to the Technical Council (TC).  

Who

The aim was to comprise this group with diverse representation to get as many viewpoints as possible.  At the same time we're aiming to keep the group on the small side to keep things moving, mitigate scheduling conflicts, etc.  

NameRepresentation
DevOps
Developers
Developers
SysOps
SysOps
Tech Council / Developers
Developers
Platform PO / Acrhitects
SysOps
UI Developers
UI Developers
Tech Council / Architecture
FOLIO Implementation
Peter MurrayTech Council / Open Source Community
Philip RobinsonSysOps, User Management

When

Each Monday Starting October 7, 2019 - 11:00 - 12:00 ET in the "#security_policy_group" slack channel.

Security Policies and Processes.ics

How

Details are still TBD but so far the plan is to try to meet next week (10/7) and go from there.  Ideally we can come up with a rough draft or outline from this first meeting with most of the high level decisions being made, and schedule additional meetings to refine as needed.  

Proposed agendas:

10/7/2019 (Kickoff)

10/14/2019

10/21/2018

10/28/2019

11/11/2019

What

Proposals/options taken straight from the TC meeting notes - a place to start:

Notes

Links

Several links have been shared already in various conversations about this - these might be helpful as models or just as reference.