[CentOS-devel] The CentOS Security Response Team

Tue May 20 15:15:09 UTC 2014
Karanbir Singh <kbsingh at centos.org>

Hi,

As SIG's come up and move forward - we are going to need to have a
better established, documented and process driven security response
team. While we can, in a pinch, reach into and request some resources
from the RedHat SRT, they are in no way bound to help or even be
involved in the overall CentOS Ecosystem - and we should really setup
our own group to handle these requests.

In the past conversations we had thought of setting up a group of maybe
3 to 5 people, who can triage and communicate with the respective groups
of people responsible for the code or infra in question.

This would not only include centos resources, but also be the contact
point for upstream security notices from projects associated with us. In
this case, they would be the people managing security at centos.org - with
that email address being the primary contact for projects in the SIG's
upstream as well.

We would also then setup a private security mailing list.

thoughts ? comments ? feedback ?


-- 
Karanbir Singh, Project Lead, The CentOS Project
+44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS
GnuPG Key : http://www.karan.org/publickey.asc