On 5/20/14, 9:15 PM, Karanbir Singh wrote: > Hi, > > As SIG's come up and move forward - we are going to need to have a > better established, documented and process driven security response > team. While we can, in a pinch, reach into and request some resources > from the RedHat SRT, they are in no way bound to help or even be > involved in the overall CentOS Ecosystem - and we should really setup > our own group to handle these requests. > > In the past conversations we had thought of setting up a group of maybe > 3 to 5 people, who can triage and communicate with the respective groups > of people responsible for the code or infra in question. I can help with this. I'm a member of the ruby-core security team and have done lots of security work with Puppet and other projects so I've got some existing experience with the process. > > This would not only include centos resources, but also be the contact > point for upstream security notices from projects associated with us. In > this case, they would be the people managing security at centos.org - with > that email address being the primary contact for projects in the SIG's > upstream as well. > > We would also then setup a private security mailing list. > > thoughts ? comments ? feedback ? > >