[CentOS-devel] The CentOS Security Response Team

Tue May 20 16:30:20 UTC 2014
Sam Kottler <s at shk.io>

On 5/20/14, 9:15 PM, Karanbir Singh wrote:
> Hi,
>
> As SIG's come up and move forward - we are going to need to have a
> better established, documented and process driven security response
> team. While we can, in a pinch, reach into and request some resources
> from the RedHat SRT, they are in no way bound to help or even be
> involved in the overall CentOS Ecosystem - and we should really setup
> our own group to handle these requests.
>
> In the past conversations we had thought of setting up a group of maybe
> 3 to 5 people, who can triage and communicate with the respective groups
> of people responsible for the code or infra in question.

I can help with this. I'm a member of the ruby-core security team and
have done lots of security work with Puppet and other projects so I've
got some existing experience with the process.

>
> This would not only include centos resources, but also be the contact
> point for upstream security notices from projects associated with us. In
> this case, they would be the people managing security at centos.org - with
> that email address being the primary contact for projects in the SIG's
> upstream as well.
>
> We would also then setup a private security mailing list.
>
> thoughts ? comments ? feedback ?
>
>