Re: Introduction

[Mark J Cox <mj...@apache.org>]

On Tue, Dec 28, 2021 at 1:50 PM Mark Thomas <ma...@apache.org> wrote:
<snip>

> In terms of what this means for the ASF, my thoughts are:
>
> - We should be encouraging projects to think about the NIST
>    recommendations and how to apply them to their project.
>
> - We should think about what our answer should be when organisations ask
>    "How can we help?". Donations of cash, hardware and/or services will
>    be part of it but I think we a response that includes allocating
>    employees to contribute to projects and how we help organisations
>    and individuals do that who are unfamiliar with how the ASF works.
>
> - We need to consider whether projects that are not releasing
>    regularly really are healthy. Could they realistically respond to a
>    security vulnerability in a reasonable time frame? If not, we need to
>    move them to the attic.
>

And we need a clear way to communicate that, and EOL releases, to users so
they know the status of what they're using.  There are quite a number of
examples where a project has responded to a vulnerability reporter that
some version is EOL but it's not been clear enough on their pages, nor any
real announcement ever having being made.  We need a consistent policy on
what to do about vulnerabilities that come up in EOL versions, and when to
allocate them CVE names ('there's an unfixed issue in X") in order to help
users with scanning tools also notice when they're using out of date and
now insecure projects.


> - We should consider making SRC:CLR available as a service to projects
>
> - We need to consider how we can increase the support we provide to
>    projects that need it when they are handling security vulnerabilities
>

We've never really asked projects about this.  We sometimes get responses
thanking us for various help or advice or provided tools or with
suggestions for improvements, but it could be worth trying to properly
capture what help and support projects would find useful.

Mark