Hi,
As SIG's come up and move forward - we are going to need to have a better established, documented and process driven security response team. While we can, in a pinch, reach into and request some resources from the RedHat SRT, they are in no way bound to help or even be involved in the overall CentOS Ecosystem - and we should really setup our own group to handle these requests.
In the past conversations we had thought of setting up a group of maybe 3 to 5 people, who can triage and communicate with the respective groups of people responsible for the code or infra in question.
This would not only include centos resources, but also be the contact point for upstream security notices from projects associated with us. In this case, they would be the people managing security@centos.org - with that email address being the primary contact for projects in the SIG's upstream as well.
We would also then setup a private security mailing list.
thoughts ? comments ? feedback ?