| ... | ... | @@ -14,6 +14,8 @@ The OpenPGP secret key material for the `security@torproject.org` UID is distrib |
|
|
|
|
|
|
|
If an individual who is a security point person is no longer working with Tor, or needs to otherwise rotate out of this role, then they are to be replaced with a new person from that team and the key material is rotated and redistributed.
|
|
|
|
|
|
|
|
Because there is a not-insignificant overhead involved in doing such a rotation, we prefer to not rotate that role often.
|
|
|
|
|
|
|
|
# Intake process
|
|
|
|
|
|
|
|
When a security issue arrives to `security@`, the team security point person should create a confidential issue in the appropriate gitlab project, with the `Security` label. If this person is on vacation, then another point-person could optionally step in and route the issue to the correct team.
|
| ... | ... | @@ -25,3 +27,13 @@ As necessary, convene a meeting of subject matter stake-holders to triage, or in |
|
|
|
The issue **must** be assigned to someone, it should also have its severity/priority set and an expiration date for when the issue should be resolved. An issue without an assignee can be easily lost.
|
|
|
|
|
|
|
|
Because security issues need to be properly addressed in a timely manner they should be continuously evaluated in scoping sessions so they are not dropped.
|
|
|
|
|
|
|
|
# Communications
|
|
|
|
|
|
|
|
## Team communications
|
|
|
|
|
|
|
|
The `security@` alias receives a number of spam messages, bogus reports, legal requests, legitimate support questions, etc. The security liaison is responsible for looking at each message coming in and making a determination if it is for their team or not, and if it is something that needs to be handled by that team. In many cases there are reports that are, on their face, not serious reports. If there is any question, then please reply to the `security@` alias to let people know that it is being handled (ideally with a confidential gitlab issue link). If there is no notification from the team liaison that an issue is being handled, then you will be contacted by the Director of Engineering to ask you if you have seen it.
|
|
|
|
|
|
|
|
## Communications with the reporter
|
|
|
|
|
|
|
|
If the person reporting the issue has used encryption to send the report, you should use encryption to reply to them. If they have not provided their public key and it is not possible to retrieve it from the keyservers, then you can write to them unencrypted to ask them for it. If you need to reply, please CC the `security@` alias, and please use your `torproject.org` email address to do so. |
|
|
\ No newline at end of file |
