... | ... | @@ -28,13 +28,13 @@ |
|
|
- no need to reinvent the process while dealing with the issue
|
|
|
- we don't lose security issues
|
|
|
|
|
|
nick's suggestions for other potential teams/the org:
|
|
|
- nick's suggestions for other potential teams/the org:
|
|
|
- look over netteam security policy and think about what you like to change
|
|
|
- maybe we get to a single inter-team policy
|
|
|
- maybe different definitions for what security levels are (e.g. the netteam security policy has nothing to say about browser fingerprinting which Tor Browser might want)
|
|
|
- types of severity might even not make sense for browser
|
|
|
|
|
|
-GeKo mentions that we have a sec policy for Tor Browser on HackerOne right now
|
|
|
- GeKo mentions that we have a sec policy for Tor Browser on HackerOne right now
|
|
|
|
|
|
- security level "high" etc. could be dependent on how hard things are to exploit, platform exposure etc.
|
|
|
|
... | ... | @@ -83,12 +83,12 @@ nick's suggestions for other potential teams/the org: |
|
|
- [gitlab account creation tool](https://gitlab.torproject.org/tpo/tpa/gitlab-lobby) and approval process is not really maintained (not run on TPA servers), juga might look at it for maintenance purposes
|
|
|
|
|
|
- maybe HackerOne as a solution to sec bug reporting and getting a convo going with the reporter
|
|
|
- problem of external provider selling bug reports
|
|
|
- attracting the wrong folks (some just scanning your website for some supposed sec bugs)
|
|
|
- problem of external provider selling bug reports
|
|
|
- attracting the wrong folks (some just scanning your website for some supposed sec bugs)
|
|
|
|
|
|
- security policy could be seen as part of a disaster recovery policy
|
|
|
|
|
|
- overall summary:
|
|
|
- decommision schleuder for sec bug reporting
|
|
|
- consensus for looking at TROVE process for other teams/whole project, getting specific gitlab project going for that for tickets to coordinate that discussion (maybe rhatto can help with that) (repository opening first week after the meeting week, having this finalized at least by the end of the year)
|
|
|
- getting anon-reporting/lobby tools maintained |
|
|
- decommision schleuder for sec bug reporting
|
|
|
- consensus for looking at TROVE process for other teams/whole project, getting specific gitlab project going for that for tickets to coordinate that discussion (maybe rhatto can help with that) (repository opening first week after the meeting week, having this finalized at least by the end of the year)
|
|
|
- getting anon-reporting/lobby tools maintained |