Let's start the charter ✨ #1
Conversation
| - Recommend security improvements for the project and the packages in scope | ||
| - Support the TSC team on security triage as needed | ||
| - Support initiatives from the [OpenJS Foundation Security Collab Space](https://github.com/openjs-foundation/security-collab-space). | ||
| - Support initiatives from the OpenSSF [Best Practices for Open Source Developers Working Group](https://github.com/ossf/wg-best-practices-os-developers). |
There was a problem hiding this comment.
We can skip this one, as we try to bring the initiatives first to the Collab Space
|
|
||
| ### Responsibilities | ||
|
|
||
| - Define the Security triage role |
There was a problem hiding this comment.
Probably this can be also a good next initiative, define how the triage work is done in much more detail
|
|
||
| The Security Working Group is composed of two groups of members: the Security Triage Team and the Regular members. The regular members are responsible for the public facing activity of the group, while the Security Triage Team is responsible for the security triage process. | ||
|
|
||
| ### Security Triage Team @webpack/security-triage |
There was a problem hiding this comment.
I assumed that we want to list them here
| |------------|----------|--------|-------| | ||
| | Kick off the WG | [@UlisesGascon](https://github.com/UlisesGascon) | In progress | _none_ | | ||
| | Incident Response Plan | [@RafaelGSS](https://github.com/rafaelgss) | In progress | [PR #19841](https://github.com/webpack/webpack/pull/19841)| |
There was a problem hiding this comment.
This was an example, feel free to suggest/remove 👍
|
|
||
| ## Members | ||
|
|
||
| The Security Working Group is composed of two groups of members: the Security Triage Team and the Regular members. The regular members are responsible for the public facing activity of the group, while the Security Triage Team is responsible for the security triage process. |
There was a problem hiding this comment.
I assumed that this repo and the group work will be potentially public in the future. The triage part will be private (to prevent early disclosure) as we do in Node/Express.
| ### Lead Members @webpack/security-wg-leads | ||
|
|
||
| _TBA_ | ||
|
|
||
| ### Team Members @webpack/security-wg | ||
|
|
||
| - [Claudio Wunder](https://github.com/ovflowd) | ||
| - [Even Stensberg](https://github.com/evenstensberg) | ||
| - [Rafael Gonzaga](https://github.com/RafaelGSS) | ||
| - [Ulises Gascón](https://github.com/UlisesGascon) |
There was a problem hiding this comment.
Feel free to update roles and members
|
|
||
| ## Meetings | ||
|
|
||
| The Security Working Group meets on an ad hoc basis. The meeting is open to the public. The agenda and meeting notes are published in this repository. You can find the calendar entries in the [OpenJS Foundation calendar](https://openjsf.org/collaboration). |
There was a problem hiding this comment.
I assumed that we want to do only ad-hoc meetings (as in Express) but we can go for regular meetings as we do in Node.js if makes sense. But probably this is something that we can figure out in the future.
| @@ -0,0 +1,23 @@ | ||
|
|
||
| | Name | Github Repository | npm |
There was a problem hiding this comment.
I did an initial scoping by ignoring deprecated, achieved, etc... but I might missed some packages/repos. Ideally we focus only on repos that are code related
This is an initial proposal, feel free to add comments/changes/suggestions until we are all aligned!