Security Team Charter

Owned by Mike Gorrell
Apr 30, 2021
1 min read

The first responsibility of the Security Team is to perform a triage of reported security vulnerabilities. Each reported security defect is evaluated by the team according to several criteria in order to establish its severity. See Triage Process section.

  • Reported vulnerabilities will either be moved to the active vulnerability list, or be rejected.
  • Any vulnerability on the active vulnerability list will be assigned a measure of its risk and severity
  • Vulnerabilities on the active vulnerability list will be ranked in order of priority.

The second responsibility of the Security Team is to manage the lifecycle of identified security vulnerabilities. This includes being the point of notification from the public, maintaining the list of prioritized vulnerability defects, as well as identifying and overseeing the individual or team tasked with resolving the defect. It is the responsibility of the Security Team to declare security vulnerabilities as resolved and communicate their resolution to the public in a responsible manner.

The third responsibility of this team is to provide appropriate notifications to the Folio community and broader public. See also Notifications Mechanisms section below. 

  • A brief public facing notification will be made with the acceptance (post-triage) of any newly identified security vulnerability.
  • Notifications of workarounds will be distributed once available
  • Resolution of vulnerability defects will also produce notifications.