[Board] proposed security initiative

[Jody Garnett]

An idea that occurred to me last year, after successful running a
fundraising effort
<https://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html>
in response to log4j security issues, was that ... 2022 was terrible.

The second idea was that we could help OSGeo projects respond more quickly
and professionally in the future.

With this in mind I would like to propose an "osgeo security initiative"
with very limited emergency scope.

1. Projects apply when faced with an emergency in a fashion similar to the
code-sprint initiative
2. Projects would require registration of a formal CVE number for the
vulnerability (in practice security researchers register these numbers on a
project's behalf.)
3. Projects would require a clear budget for the request (standard practice
just like a code sprint or event)
4. Challenge: Some secure channel is required for this communication
because mean people exist
5. Challenge: Funding for preventative measures is not supported to limit
scope of this initiative

If done correctly the initiative can raise funds as more organizations are
sensitive to the security of the open-source components they have come to
depend on. Ideally it can also be an outreach opportunity to engage with
security professionals.

I have added this topic to both the upcoming meeting
<https://wiki.osgeo.org/wiki/Board_Meeting_2023-01-30> and 2023 budget
<https://wiki.osgeo.org/wiki/OSGeo_Budget_2023#OSGeo_Initiatives>.
--
Jody Garnett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/board/attachments/20230117/ffbdaecc/attachment.htm>