Graduation Process: Security

[varodrig]

Security

Note: this section may be augmented by a joint-assessment performed by TAG Security.

Suggested

• Achieving OpenSSF Best Practices silver or gold badge.

Required

• Clearly defined and discoverable process to report security issues.

• Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)

• Document assignment of security response roles and how reports are handled.

• Document Security Self-Assessment.

• Third Party Security Review.

  • Moderate and low findings from the Third Party Security Review are planned/tracked for resolution as well as overall thematic findings, such as: improving project contribution guide providing a PR review guide to look for memory leaks and other vulnerabilities the project may be susceptible to by design or language choice ensuring adequate test coverage on all PRs.

• Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.

[andreyvelich]

/area cncf-graduation

[tarilabs]

as part of the Badge for the required (passing) there is the open question where do we direct the users for responsible disclosure; from MR WG, we're happy to comply with COmmunity decision (either per-repo, hackerone, etc)