<div dir="auto">Indeed, you may also notice recent geoserver security policy change. </div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 17, 2023 at 1:17 AM Angelos Tzotsos via Board <<a href="mailto:board@lists.osgeo.org">board@lists.osgeo.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">I think this will be highly relevant with CRA in the future.<br>
There is an open ticket about this:<br>
<a href="https://git.osgeo.org/gitea/osgeo/todo/issues/145" rel="noreferrer" target="_blank">https://git.osgeo.org/gitea/osgeo/todo/issues/145</a><br>
<br>
On 1/18/23 00:07, Jody Garnett via Board wrote:<br>
> An idea that occurred to me last year, after successful running a<br>
> fundraising effort<br>
> <<a href="https://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html" rel="noreferrer" target="_blank">https://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html</a>><br>
> in response to log4j security issues, was that ... 2022 was terrible.<br>
><br>
> The second idea was that we could help OSGeo projects respond more quickly<br>
> and professionally in the future.<br>
><br>
> With this in mind I would like to propose an "osgeo security initiative"<br>
> with very limited emergency scope.<br>
><br>
> 1. Projects apply when faced with an emergency in a fashion similar to the<br>
> code-sprint initiative<br>
> 2. Projects would require registration of a formal CVE number for the<br>
> vulnerability (in practice security researchers register these numbers on a<br>
> project's behalf.)<br>
> 3. Projects would require a clear budget for the request (standard practice<br>
> just like a code sprint or event)<br>
> 4. Challenge: Some secure channel is required for this communication<br>
> because mean people exist<br>
> 5. Challenge: Funding for preventative measures is not supported to limit<br>
> scope of this initiative<br>
><br>
> If done correctly the initiative can raise funds as more organizations are<br>
> sensitive to the security of the open-source components they have come to<br>
> depend on. Ideally it can also be an outreach opportunity to engage with<br>
> security professionals.<br>
><br>
> I have added this topic to both the upcoming meeting<br>
> <<a href="https://wiki.osgeo.org/wiki/Board_Meeting_2023-01-30" rel="noreferrer" target="_blank">https://wiki.osgeo.org/wiki/Board_Meeting_2023-01-30</a>> and 2023 budget<br>
> <<a href="https://wiki.osgeo.org/wiki/OSGeo_Budget_2023#OSGeo_Initiatives" rel="noreferrer" target="_blank">https://wiki.osgeo.org/wiki/OSGeo_Budget_2023#OSGeo_Initiatives</a>>.<br>
> --<br>
> Jody Garnett<br>
><br>
><br>
> _______________________________________________<br>
> Board mailing list<br>
> <a href="mailto:Board@lists.osgeo.org" target="_blank">Board@lists.osgeo.org</a><br>
> <a href="https://lists.osgeo.org/mailman/listinfo/board" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/board</a><br>
<br>
<br>
-- <br>
Angelos Tzotsos, PhD<br>
President<br>
Open Source Geospatial Foundation<br>
<a href="http://users.ntua.gr/tzotsos" rel="noreferrer" target="_blank">http://users.ntua.gr/tzotsos</a><br>
<br>
_______________________________________________<br>
Board mailing list<br>
<a href="mailto:Board@lists.osgeo.org" target="_blank">Board@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/board" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/board</a><br>
</blockquote></div></div>