Security Team

Contacting the team

If you think you have discovered a security vulnerability, please email the security team's TWikiSecurityMailingList at this address: mailto:twiki-security@listsPLEASENOSPAM.sourceforge.net (twiki-security@lists.sourceforge.net). They will analyse the vulnerability and get back to you as soon as possible. Read also the TWikiSecurityAlertProcess.

• NOTE: You don't need to subscribe to the twiki-security list! Only the SecurityTeam is on this list, but anyone can email to the team through the twiki-security email address. Please subscribe to the TWikiAnnounceMailingList to get notified of security alerts.

Please do not post a BugReport - once the team has analysed the problem, a less serious report may be dealt with via a BugReport, but a critical fix must be distributed to TWiki site administrators before the issue is publicised as a BugReport and in security advisories.

Tasks on being notified of a vulnerability

• The security team will act as follows:
  1. Attempt to discuss triage (i.e. prioritise alert action), but if necessary act alone
  2. Ensure security alerts are distributed as soon as possible but within the documented timeframe of the TWikiSecurityAlertProcess to give admins the chance to temporarily filter or take down vulnerable sites
  3. If possible, untar/fix/retar the offered downloadable distribution, so admins can get sites up again fast
  4. Ensure the proper fixing of the SVN versions (not do it, organise it)
  5. Coordinate and release emergency patch releases, as required
  6. Coordinate with security advisory agencies

Additional Responsibilities

• The Security Team reviews and refines TWikiSecurityAlertProcess from time to time

Rights

• The Security Team has the right to represent the TWiki community on all matters related to security, without reference to the rest of the community.
• The Security Team has the right to override all other decision-making processes in the event of security-related issues
• The SecurityTeamSupportGroup has volunteered to act under the direction of the Security Team as and when required
• The Security Team has the right to be recognised for their work in TWiki releases, on the twiki.org site, and in press communications

Team members

• PeterThoeny (team lead, USA west coast)
• RichardDonkin (Europe)
• SopanShewale (India)

See also: TWikiSecurityMailingList, TWikiSecurityAlerts, TWikiSecurityAlertProcess, TWikiSecurityAlertEmail

-- Contributors: CrawfordCurrie, RichardDonkin, SamHasler, PeterThoeny

Discussion and Feedback

In a discussion in IRC started by RichardDonkin, it was agreed that TWiki needs a Security Triage Team to handle security alerts and their follow-up. The following people were nominated:

• PeterThoeny (Western US)
• SvenDowideit (Australia)
• ColasNahaboo (France)

-- CrawfordCurrie - 25 Nov 2004

This is great - need some more detail on how this fits into TWikiSecurityAlertProcess, email lists to contact team, and so on.

UPDATE: Not sure why there's no 'create or coordinate patch creation for fix' as step 3 - surely a prelude to fixing the distros?

-- RichardDonkin - 25 Nov 2004

Should there be a mailto link on this topic and elsewhere (BugReport?) for reporting security issues in a consistent manner?

-- SamHasler - 26 Nov 2004

Yes, next email list to be set up is to report to triage team.

Triage team is a bit techie sounding, not sure if we need the 'triage' bit.

-- RichardDonkin - 26 Nov 2004

Renaming this to 'security team' to go with the terminology on TWikiSecurityAlertEmail.

The only remaining step is to create the security team list - this should be:

Name: TWiki Security Team
Email: twiki-security at lists.sourceforge.net

-- RichardDonkin - 27 Nov 2004

twiki-security@listsPLEASENOSPAM.sourceforge.net has been set up, as usual, it will take a few hours to be activated.

-- PeterThoeny - 27 Nov 2004

Some refactoring above to include mailto: link to new email address, and how / why to contact the security team. Just wanted something here since the alert email is going out now and includes a link to this page.

-- RichardDonkin - 28 Nov 2004

I'd like to suggest that the twiki-security list contains all people that have commit access to the twiki repository, as in DevelopBranch people and TWikiCore people

-- SvenDowideit - 29 Nov 2004

Good idea to have a slightly larger list of developers on the list, though the security team itself would be the ones responsible for triaging vulnerabilities - ideally would include people responsible for packaging TWiki for various OSs, e.g. Sven for TWikiOnDebian. The Mozilla Security model is an interesting one, see their Security Bugs Policy in particular as well as their Mozilla Security page.

I think that we might not invite very new additions to the committers list to the security list, unless they have been doing TWiki stuff for some time before that. This is just a hypothetical issue really, can't think of anyone this would apply to at the moment!

I've also put a note above explaining no need to join the list to send an alert. There is a handful of people who seem to be thinking this is the announcement list, which is why it might be better called twiki-security-team, but there aren't enough to make it worth changing the list name.

-- RichardDonkin - 10 Dec 2004

Richard volunteered to be on the security team. This is a very good fit since Richard has lots of experience in multiple platforms and internationalization

-- PeterThoeny - 15 Dec 2004

Due to lack of time and availability, resigned from the security team

-- ColasNahaboo - 27 Mar 2006

I am pleased to announce that KennethLavrsen has joint the Security Team. Please send a warm welcome to Kenneth!

• BF

-- PeterThoeny - 30 Mar 2006

I added a task-team form to ensure continuity for this incredibly important team.

-- CrawfordCurrie - 11 Sep 2008

To finish the process of task-team definition, we really need to know:

1. If PeterThoeny is happy to continue as the de facto leader of this team, and if not, who is,
2. If the active team membership list I added above is correct,
3. When the charter should next be reviewed (propose May 1st 2009)

-- CrawfordCurrie - 24 Oct 2008