Security response team rotation is outdated
aliok opened this issue · comments
Related docs:
- https://github.com/knative/community/blob/main/SECURITY.md
- https://github.com/knative/community/blob/main/working-groups/security/disclosure.md
- https://github.com/knative/community/blob/main/working-groups/security/responding.md
VMT rotation is outdated: https://github.com/knative/community/blob/main/working-groups/security/vmt.rotation (not sure where this is used)
Also, can we verify that security@knative.team is still working with recipients still active in the project?
Ah, and, it might be good to list publicly who receives mails sent to that email address.
cc @knative/technical-oversight-committee
I believe that the alias is still working.
The rotation was used with https://knative.party/, but since we only had one lead and no other volunteers, it had just been me for a while. It would be great to get a larger set of particpants (maybe TOC?)
We didn't sign up for upstream early notifications -- I think that was on julz@'s plate, and the reduction of interest and capacity meant that dropped by the wayside
Verified that security@knative.team is still working
/assign @davidhadas
Is there a requirement to have a vmt.rotation file? Is this documented anywhere? If not, I suggest to drop this page.
We do need to make sure we have the vulnerability procedure well documented and updated.
Lets do another review of disclosure.md and responding.md
Q from @dprotaso: is the TOC on the security@knative.team mailing list?
Q from @dprotaso: is the TOC on the security@knative.team mailing list?
It is not currently -- we could add them if desired.