Hyperledger is committed to creating a safe and welcoming

community for all. For more information

please visit the Hyperledger Code of Conduct.

Welcome and Introductions

Who you are, which project you represent, your role in the project and what your interest is in the Hyperledger security process effort.

Attendees

Arun S M

Ryan Lee

Hart Montgomery

Mic Bowman

Weihong Ou

Danno Ferrin

Vikram Sharma

Peter Somogyvari

@Deepika Karanji

Announcements

Agenda

  • Welcome

  • Scoring guidelines for blockchain projects in Hyperledger Foundation.

    • Security threat modelling for blockchain technology.
  • Broader areas to focus
    • Infrastructure security.
    • Signing artefacts / binary distribution.
  • Review comments/discussions on https://github.com/ossf/security-reviews
  • Review scorecard from OpenSSF https://github.com/ossf/scorecard.

  • Review checklist for reporting vulnerabilities. Covers both the project team and an external member.

  • Open agenda

Next Meeting

Future Topics

Notes

  1. Processes are secure ~ development, distribution.
  2. Process to report security issues at Hyperledger.
  3. Threat modelling
    1. Define boundaries ~ infrastructure, networking, development.
    2. How do we measure robustness
      1. Suggestions such as attesting the build process.
      2. Project's security review information, where to find them.
      3. Define what how are security claims made in a project. State the assumptions made to claim the statement. Projects to have formal proof to the claims.
      4. Articulate Human consumable definitions for the claims.
      5. Reference https://eprint.iacr.org/2014/765.pdf to learn how is it done for Bitcoin network.
  4. Breaking the task force into multiple work streams.
  5. Projects handling the security reports ~ should TSC consider it as a metric to measure, define process to follow up on that.
  6. Infrastructure related security measures may be influenced by LF policies.
    1. Community hinted towards moving these to the LF charter.

Action items

  • Checklist for members to follow while reporting vulnerabilities.
  • Questionnaire to report vulnerability  ~ calculate CVE score. Danno Ferrin
  • Define scoring guidelines for blockchain & non-blockchain projects in Hyperledger Foundation. Hart Montgomery
  • Propose to break the task force activities into multiple work streams. Hart Montgomery Mic Bowman

Recordings

  File Modified
Text File GMT20220225-154559_Recording.txt Feb 28, 2022 by Ry Jones
File GMT20220225-154559_Recording.transcript.vtt Feb 28, 2022 by Ry Jones
Multimedia File GMT20220225-154559_Recording.m4a Feb 28, 2022 by Ry Jones

1 Comment

  1. Peter Somogyvari

    Apologies for having to leave early today! One more thing I wanted to say is that if we'll end up splitting the task force into multiple workstreams AND one of those will be focused on automation then I wouldn't mind volunteering to help out with that. With that said I understand that we are raising the ceiling here and that anything that's automation related are going to be more relevant to the floor instead so don't take this as an explicit proposal that we should have an automation workstream, just that if there is one (by consensus of the task force members) then count me in on that. (wink)