OpenMRS Security Guidelines Review: We Need Your Input

(Cynthia Antwi) #1

Hey Everyone

We are requesting for input from the community to develop a set of guidelines for better management of our security monitoring activities. A draft can be found here https://docs.google.com/document/d/1_9atV4AAdGDfoiDLscdBsUMYja1CK2_Xitdzk3QiLFU/edit

Comments can also be included in this discussion thread.

2 Likes
(Cynthia Antwi) #2

We are still looking to get feedback on the Security vulnerabilities Guidelines posted above.

Comments are welcomed up until Friday May 10 2019

(Burke Mamlin) #3

Looks good.

1.5 years in the community seems like a reasonable threshold for a random person wanting to join the security team; however, if an established security expert joined the community and wanted to help, I don’t think I’d make her wait 1.5 years. :slight_smile:

Is it common to have a mechanism for early notification of vulnerabilities? In the past, we considered making a security-announcemailing list to broadcast early warnings to interested parties. I’m not sure if that’s necessary or best practice. Talk could probably suffice, but it would be good to have a more well-defined process for notifications (e.g., a post to which category, using what tags, etc.).

(Isaac Sears) #4

I think I initially recommended this, but I’m not so sure about it anymore. I got the chance to talk to one of the core Debian developers about their vulnerability patching processes and I learned that they have no such early-notification mechanism, even for large enterprises that depend on the OS for mission-critical services. It seems like there’s no good way to solve the selective-notification problem without fundamentally changing the open-source nature of the project.