...
Provide named security contacts per project (at least two contacts)
Define security issue reporting process in SECURITY.md with reference to Hyperledger reporting process
- Review, respond, and act on reported security vulnerabilities
Follow security issue disclosure process - see Disclosure task force
Leverage automated scans, tooling depends on language but usually includes some combination of:
linters
Software Composition Analysis dependency scans, e.g. Dependabot, Govulncheck
Static Application Security Testing (SAST) aka static analysis scans, e.g. CodeQL, Snyk
Pin dependencies and keep dependencies up to date, e.g. using Dependabot, although be wary of auto-upgrades and look for malware.
Engage with Hyperledger staff on possibility of security audits for Graduated project major releases, address audit results and socialize
Review OpenSSF secure developer guide and OpenSSF overview presentation to TOC (charts, replay)
Review and obtain OpenSSF Best Practices Badge - criteria
Sign release artifacts (TBD) - see proposed Security Artifact Signing task force
...
User guide including Getting Started / Tutorial
Project developer guide including coding guidelines, build instructions, test instructions
Application developer guide
- Recommended documentation platform?
Project management
- Maintain a written project roadmap
- Create, clarify, and label issues in Github for contributors
- Review, triage, comment on, and close Github issues
Releases
Follow an established Release taxonomy - either SemVer or CalVer
Document release strategy, release process, branch strategy (one branch per major.minor release works well so that it can be maintained in isolation with major.minor.patch releases)
Document Long-term support (LTS) release strategy - example https://github.com/hyperledger/fabric-rfcs/blob/main/text/0005-lts-release-strategy.md
- Use Github actions to automate release process, e.g. publish artifacts and release notes upon drafting a GitHub release
Release artifacts - attached to GitHub release, docker images in GitHub Packages versus Dockerhub?
...