|
Hyperledger is committed to creating a safe and welcoming community for all. For more information please visit the Hyperledger Code of Conduct. |
|---|
Welcome and Introductions
Who you are, which project you represent, your role in the project and what your interest is in the Hyperledger security process effort.
Attendees
Announcements
Agenda
- Welcome
Review CVSS calculation. Report from Danno Ferrin https://github.com/hyperledger/besu/security/advisories/GHSA-7pg2-p5vj-xp5h (additional ref: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
Review checklist for reporting vulnerabilities. Covers both the project team and an external member.
- Open agenda
Next Meeting
Future Topics
Notes
- Questions:
- Way of reporting fixes for vulnerabilities. Report the issue post patch updates. This is general practice followed across security groups.
- Communicating with other groups (a case of Ethereum).
- Using GitHub for creating an issue ID. Better option at present for Hyperledger Foundation.
- Case for Hyperledger Ursa
- Linux Foundation is expected to send out guidelines sooner through OpenSSF.
- Define what does scoring guidelines mean for Hyperledger Foundation. Refer to https://www.first.org/cvss/calculator/3.0 as a starting point.
- Definitions for what each of the fields mean in the form.
- Target audience: Consumers of the project. Ops teams who work on these projects regularly.
- Review https://github.com/ossf/security-reviews
Action items
- Checklist for members to follow while reporting vulnerabilities.
- Questionnaire to report vulnerability ~ calculate CVE score. Danno Ferrin
- Define scoring guidelines for blockchain & non-blockchain projects in Hyperledger Foundation. Hart Montgomery
Recordings