| Recap on Log4shell | All | Time to make the fixes took to long It was not clear what release is needed to be fixed. LTS is needed to be defined New group has been set up to define this Should reach out to the new group for the status and see if they want somebody from the security team → @Jakub Skoczen has take this on Need support statement for other releases
Took too long to respond When is the security team responsible to react? On direct messages or should we scan several channels? ← Need to define this more clearly to the Charter Should be a group effort Need to provide some guidance to community questions / concerns
Postpone retrospective board until Craig is back
Today's discussion: When one of us is alerted to a security issue, we should raise it in our internal slack channel and start a discussion/triage. Once the risk and impact have been assessed we should communicate to the interested parties that the security team is aware of the problem and that additional guidance will be forthcoming (ideally with some timeframe). Where will the communication be sent? for log4shell we wrote to a number of different slack channels: #sys-ops, #development, #releases, etc. #sys-ops channel, others as needed. the applicable/appropriate slack channel(s).
How is the triage performed? On slack? Hold an ad-hoc meeting? Something else? Should be handled on a case-by-case basis... Really the how depends on the situation, but slack and ad-hoc meetings will work most of the time.
When do we owe an ack? When do we owe additional guidance? P1 - ASAP, but sooner (2 business days - subject to change) P2 - No later 1 week > P2 - no expectation of explicit guidance - researching may be delegated to dev teams, etc. If the security team doesn't have additional guidance to provide within this timeframe, they will send out a message with an update.
Who will do the communication?
ACTION: @Axel Dörrer to work this into the FOLIO Vulnerability and Remediation Policy and the security team will review the draft once ready. |