Hyperledger is committed to creating a safe and welcoming
community for all. For more information
please visit the Hyperledger Code of Conduct.
Zoom Link: https://zoom.us/j/97240941339
Welcome and Introductions
Who you are, which project you represent, your role in the project and what your interest is in the Hyperledger security process effort.
- Prior work: Replay the 2021 11 18 TSC Meeting Record
Review the document proposed by Ry https://wiki.hyperledger.org/display/TF/Gaps+between+guidance+and+implementation+for+CSVD
Survey & feedback from project teams.
- Frequency and period of task force.
- Set goals for the task force.
- Define expectations.
- Define timelines and deliverables, actionable items.
- Open agenda
- To address:
- Key contact points from each of the project.
- Check if the reported issue is a vulnerability/CVE.
- What if the reporter is from within the project.
- Follow up with maintainers, what happened to the issue that was raised?
- Do not use mailing list as it is functional today.
- Establish a process for reporting CVEs.
- Make use of GitHub CVE reporting feature to auto notify dependent projects.
- Survey while feeding in new issues ~ justify.
- Do calculate the score - questionnaire based report is not sufficient.
- Notify the third party (outside the project with familiarity of the reported issue). Consider reporter given their research motives.
- Use HackerOne as proposed in Gaps between guidance and implementation for CSVD - increase participation. Ask GB to sponsor.
- Process for auditing reported issues.
- In case of reporter is a member of the project team, create a checklist for members to follow to create a trace that provides auditability of what was done.
- Gap in OpenSSF
- Goal: provide feedback to OpenSSF so that their guidelines can be improved
- Checklist for members to follow while reporting vulnerabilities.
- Questionnaire to report vulnerability ~ calculate CVE score.