2021-12-13 Meeting Minutes

Zoom Link: https://zoom.us/j/97240941339

Welcome and Introductions

Who you are, which project you represent, your role in the project and what your interest is in the Hyperledger security process effort.

Attendees

• Ry Jones

• Danno Ferrin
• Hart Montgomery
• Arun S M
• Peter Somogyvari
• Arnaud J Le Hors
• Cam Parra
• Bruno Vavala

Announcements

• Prior work: Replay the 2021 11 18 TSC Meeting Record

Agenda

• Welcome

• Review the document proposed by Ry https://wiki.hyperledger.org/display/TF/Gaps+between+guidance+and+implementation+for+CSVD

• Survey & feedback from project teams.

• Frequency and period of task force.
• Set goals for the task force.
  • Define expectations.
  • Define timelines and deliverables, actionable items.
• Open agenda

Next Meeting

Future Topics

Notes

1. To address:
   1. Key contact points from each of the project.
   2. Check if the reported issue is a vulnerability/CVE.
   3. What if the reporter is from within the project.
   4. Follow up with maintainers, what happened to the issue that was raised?
   5. Do not use mailing list as it is functional today.
2. Suggestions:
   1. Establish a process for reporting CVEs.
   2. Make use of GitHub CVE reporting feature to auto notify dependent projects.
   3. Survey while feeding in new issues ~ justify.
      1. Do calculate the score - questionnaire based report is not sufficient.
      2. Notify the third party (outside the project with familiarity of the reported issue). Consider reporter given their research motives.
   4. Use HackerOne as proposed in Gaps between guidance and implementation for CSVD - increase participation. Ask GB to sponsor.
   5. Process for auditing reported issues.
   6. In case of reporter is a member of the project team, create a checklist for members to follow to create a trace that provides auditability of what was done.
3. Gap in OpenSSF
   1. Goal: provide feedback to OpenSSF so that their guidelines can be improved

Action items

• Checklist for members to follow while reporting vulnerabilities.
• Questionnaire to report vulnerability  ~ calculate CVE score.

Recordings