1.5 years in the community seems like a reasonable threshold for a random person wanting to join the security team; however, if an established security expert joined the community and wanted to help, I don’t think I’d make her wait 1.5 years.
Is it common to have a mechanism for early notification of vulnerabilities? In the past, we considered making a security-announcemailing list to broadcast early warnings to interested parties. I’m not sure if that’s necessary or best practice. Talk could probably suffice, but it would be good to have a more well-defined process for notifications (e.g., a post to which category, using what tags, etc.).
I think I initially recommended this, but I’m not so sure about it anymore. I got the chance to talk to one of the core Debian developers about their vulnerability patching processes and I learned that they have no such early-notification mechanism, even for large enterprises that depend on the OS for mission-critical services. It seems like there’s no good way to solve the selective-notification problem without fundamentally changing the open-source nature of the project.
@shafiq12 Could you please incorporate your updates on this page? I cant seem to find the previous edits that you made.
@isears@dkayiwa@cintiadr could you please comment on the “Time to resolve” coloumn? What your thoughts on giving some time durations to each severity case?
hi @c.antwi i have update the document, please find following things: 1. Added role of “Manager”, 2. “Roles and responsiblities of Manager”, 3. added points to “containment, recovery process”. 4. added time to resolve/accomplish the volunerability task. I hope it will more smoothen the process to fix and resolve the volnurability processes and also the documentation. if something else is needed to edit or add i would be pleased.
https://wiki.openmrs.org/display/docs/Managing+a+Security+Vulnerabilities+in+OpenMRS