Summit 2011 Working Sessions/Session203/Deliverable 1

Deliverable 1
OWASP Project Disclosure Policy

Ack. From Leader of Issue

First Notice to Project Leaders - Response Expected within 7 days from initial notice to leader Second Notice to Project Leaders - Response Expected within 14 days from initial notice to leader Final Notice to Project Leaders - Response Expected within 30 days from initial notice to leader

If no ack of issue, full disclosure or disclosure of the issue will be released. Full or partial disclosure to be determined and voted on by GPC on a case by case basis.

Ack. of Resolution within 180 days of initial contact
 * if project leader provides detailed explanation of why a fix will take longer, GPC can decide to extend the disclosure period in 30 day increments.

The maximum resolution period that will be granted cannot extend beyond 365 from the date of initial contact.

Example Policies and Bylaws from Founding of the Apache Security Team
A. Reestablishing the Apache Security Team WHEREAS, the Board of Directors deems it to be in the best interests of the Foundation and consistent with the Foundation's purpose to establish the ASF Board Committee charged with maintaining the security of software produced by      the various projects established under the ASF's umbrella, but not for the security of the servers and other infrastructure used by the ASF. NOW, THEREFORE, BE IT RESOLVED, that the ASF Board Committee, known as the "Apache Security Team", be and hereby is      reestablished pursuant to Bylaws of the Foundation; and be it       further RESOLVED, that the Apache Security Team be and hereby is      responsible for organization and oversight of efforts to       maintain the security of ASF projects and shall act as a       single point of contact between the ASF and any entity wishing to report or fix any security related issue in any project. RESOLVED, that each project shall appoint at least one non-voting liaison to the committee, who shall have commit privilege for the project's repository, and the technical ability to release new versions, advisories or security patches on behalf of the project. RESOLVED, that the committee shall have the power to act on      behalf of any project in matters of security. RESOLVED, that Mark Cox shall serve at the direction of      the Board of Directors as the chair of the Security Team and have primary responsibility for managing the Security Team; and be it further RESOLVED, that the persons listed immediately below be and hereby are appointed to serve as the members of the Apache Security Team: Ben Laurie Mark Cox There was some discussion over the small number of "initial" members of the team. It was noted that it was expected that new members would be added as soon as the team rebooted. Special Order 6A, Reestablishing the Apache Security Team, was approved by Unanimous Vote.

Mozilla Security Policies
https://www.mozilla.org/projects/security/security-bugs-policy.html