Policies and Procedures
- Two volunteer developers from each team.
- 12 month commitment.
- Help triage and respond to reports following the responsible disclosure policies and procedures.
Responsible Disclosure
- 48 hours to respond to reporter acknowledging the report.
- 1 week to triage, report, and coordinate with the affected project maintainers to plan the fix of the bug.
- 90 days to fix and release a fix or disclose the security bug.
- Any "critical" errors shall be assigned a CVE number and disclosed through the formal CVE system.
Current Team Members
(List)