How to Join in ASF Security Team?

[r00t 4dm <r0...@gmail.com>]

Hello,

Generally speaking, what conditions need to be met to join ASF security team?

Regards, r00t4dm
Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org

Re: How to Join in ASF Security Team?

[William A Rowe Jr <wr...@rowe-clan.net>]

Just to focus the question a bit at what you might be asking...

On Wed, Dec 23, 2020 at 3:47 AM Mark Thomas <ma...@apache.org> wrote:

> On 23/12/2020 05:29, r00t 4dm wrote:
> > Hello,
> >
> > Generally speaking, what conditions need to be met to join ASF security
> team?
>
> - ASF member [1]
> - Demonstrated understanding of security vulnerabilities over an
>   extended period of time (typically via membership of the security team
>   for one or more ASF projects)
>

Each project of the ASF has a Project Management Committee. They determine
on a project
by project basis whether that project will have a security list, and if so,
a restricted subset of
the PMC who are actively participating (or a superset of some guest
experts, who are generally,
but not exclusively committers.)

The task of the ASF-wide security team is pretty narrow and mundane...
simply ensure all
projects are following best practices for communicating security issues,
corresponding
appropriately with reporters, and tracking reports spread across the
organization. And lots
of mentoring for projects not familiar with the process.

The actual *work* happens project-by-project! So if there is a project you
are concerned with,
the best starting point is to participate in the dev list and help fix
defects, and at some point
you'll inevitably be asked to help solve security defects. Or bring
actionable concerns to the
project's security@ or private@ list for evaluation and discussion.

Re: How to Join in ASF Security Team?

[Mark Thomas <ma...@apache.org>]

On 23/12/2020 05:29, r00t 4dm wrote:
> Hello,
> 
> Generally speaking, what conditions need to be met to join ASF security team?

- ASF member [1]
- Demonstrated understanding of security vulnerabilities over an
  extended period of time (typically via membership of the security team
  for one or more ASF projects)
- Nomination by the existing members of the security team
- Agreement of the ASF Board of Directors (the Security Team is a board
  committee)

To provide some context:
- each current member of the security team has, on average, been
  involved with the ASF for more than 15 years
- the latest addition to the security team has been involved with the
  foundation for more than 6 years
- 60% of the team are current or former directors of the foundation

To put it another way, information on current, unpatched security
vulnerabilities in Apache products is some of the most sensitive
information the foundation handles and membership of the security team
is managed accordingly.

Mark


[1] http://www.apache.org/foundation/how-it-works.html#roles


> 
> Regards, r00t4dm
> Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org