We still have modules that ship with default system users with hardcoded username and a hardcoded password. In all modules the sysop can configure a different username and a different password, however, it's possible that it's forgotten or that the config has a typo. GDPR requires security by default. A module should fail at startup when username or password configuration is missing. Then the user interface is forgiving and doesn't create an unintended security hole.
Notes:
Do JIRAs exist for the modules which still have default username/passwords?
How many are we talking about here? is it 1? 2? 8+?
Time Permitting
Board / Snyk configuration
Team
Suggestion from Jakub Skoczen last week was to drop mod-reservoir from the security board (possibly snyk too) since it isn't part of the Folio flower releases. Are there any others we should consider as well? Do we have a policy (or even an opinion) on this?