ORPRO-process




 * Project intake
 * Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
 * Team Development
 * The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
 * Review
 * Assuming the project uses a platform supported by owasp.fortify.com, the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation.  For more information on this process, see the OWASP Open Review owasp.fortify.com FAQ
 * Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
 * Either reviewers or the open source project leaders responsibly disclose the identified security issues

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.