GLEP [insert number]: Security Project's purpose and abilities

Abstract

This GLEP outlines the purpose, responsibilities and abilities of the Gentoo Security Project.

Motivation

This glep aims to document the processes of the Security Project and enpowering the project to operate on a wide scale across the Gentoo tree, within the structure provided by this GLEP.

Specification

The Security Project's purpose is to ensure users are provided with applications that to the best of the knowledge of the Gentoo Developers are free of vulnerabilities. In order to achive this purpose, the Security Project require certain abilities and responsibilities as outlined in this GLEP in order to ensure the best interests of all users.

Project Lead

Joining the Project

Security package version/revision bumps and package masks

Miscellaneous

Subscription to security lists and acting on behalf of Gentoo

Auditing and public reporting of issues in the name of Gentoo

Upstream reporting of expected security bugs should only be done using the @gentoo.org email addresse if done by a member of the Security Auditing Project or the issue has been privately reported and accepted as a security vulnerability in accordance with the procedures set forth by the Security Project (at the time of writing found in [GLSACG, section 2.4 Auditing].

Embargoed lists

Security Project Members should always keep information learned through access to embargoed lists confidential. Access to other Gentoo Developers should only be granted on a need to know basis, and Gentoo Developers gaining access to such embargoed lists are required to keep the information confidential.

Requests to gain access to embargoed lists in the name of Gentoo should only be done with the approval of the Security Project Lead (or if a Deputy is appointed; the Deputy). The Project Lead is responsible for maintaining a list of who has access to various embargoed lists and ensure proper updates in access in accordance with developments of the Security Project both in terms of active participation to ensure that the Security Project can act on the information provided on these lists in a responsible manner and ensuring a member no longer active in the Security Project has access in the name of Gentoo.

CVE Numbering Authority (CNA) status

The Security Project shall maintain tools and processes in a manner that is compatible with becomming a CVE Numbering Authority[CNA]

Documentation of process

The Project shall have procedures in place to document its process and regularly update the documentation.

References

[GLSACG] https://wiki.gentoo.org/wiki/Project:Security/GLSA_Coordinator_Guide

[VULNTP] https://www.gentoo.org/support/security/vulnerability-treatment-policy.html

[CNA] https://cve.mitre.org/cve/cna.html

Backwards Compatibility

Not applicable for this GLEP.

Copyright

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/