This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Summit 2011 Working Sessions/Session203/Deliverable 1

From OWASP
Revision as of 18:17, 10 February 2011 by Chris Schmidt (talk | contribs)

Jump to: navigation, search

Deliverable 1

OWASP Project Disclosure Policy

Ack. From Leader of Issue

First Notice to Project Leaders - Response Expected within 7 days from initial notice to leader Second Notice to Project Leaders - Response Expected within 14 days from initial notice to leader Final Notice to Project Leaders - Response Expected within 30 days from initial notice to leader

If no ack of issue, full disclosure or disclosure of the issue will be released. Full or partial disclosure to be determined and voted on by GPC on a case by case basis.

Ack. of Resolution within 180 days of initial contact

  • if project leader provides detailed explanation of why a fix will take longer, GPC can decide to extend the disclosure period in 30 day increments.

The maximum resolution period that will be granted cannot extend beyond 365 from the date of initial contact.


Example Policies and Bylaws from Founding of the Apache Security Team

A. Reestablishing the Apache Security Team

      WHEREAS, the Board of Directors deems it to be in the best
      interests of the Foundation and consistent with the
      Foundation's purpose to establish the ASF Board Committee
      charged with maintaining the security of software produced by
      the various projects established under the ASF's umbrella,
      but not for the security of the servers and other
      infrastructure used by the ASF.

      NOW, THEREFORE, BE IT RESOLVED, that the ASF Board Committee,
      known as the "Apache Security Team", be and hereby is
      reestablished pursuant to Bylaws of the Foundation; and be it
      further

      RESOLVED, that the Apache Security Team be and hereby is
      responsible for organization and oversight of efforts to
      maintain the security of ASF projects and shall act as a
      single point of contact between the ASF and any entity
      wishing to report or fix any security related issue in any
      project.

      RESOLVED, that each project shall appoint at least one
      non-voting liaison to the committee, who shall have commit
      privilege for the project's repository, and the technical
      ability to release new versions, advisories or security
      patches on behalf of the project.

      RESOLVED, that the committee shall have the power to act on
      behalf of any project in matters of security.

      RESOLVED, that Mark Cox shall serve at the direction of
      the Board of Directors as the chair of the Security Team and
      have primary responsibility for managing the Security Team;
      and be it further

      RESOLVED, that the persons listed immediately below be and
      hereby are appointed to serve as the members of the Apache
      Security Team:

          Ben Laurie
          Mark Cox

      There was some discussion over the small number of "initial"
      members of the team. It was noted that it was expected that
      new members would be added as soon as the team rebooted.

     Special Order 6A, Reestablishing the Apache Security Team, was
     approved by Unanimous Vote.

Mozilla Security Policies

https://www.mozilla.org/projects/security/security-bugs-policy.html

Retrieved from "https://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session203/Deliverable_1&oldid=104884"