[Board] proposed security initiative

[Angelos Tzotsos]

I think this will be highly relevant with CRA in the future.
There is an open ticket about this:
https://git.osgeo.org/gitea/osgeo/todo/issues/145

On 1/18/23 00:07, Jody Garnett via Board wrote:
> An idea that occurred to me last year, after successful running a
> fundraising effort
> <https://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html>
> in response to log4j security issues, was that ... 2022 was terrible.
>
> The second idea was that we could help OSGeo projects respond more quickly
> and professionally in the future.
>
> With this in mind I would like to propose an "osgeo security initiative"
> with very limited emergency scope.
>
> 1. Projects apply when faced with an emergency in a fashion similar to the
> code-sprint initiative
> 2. Projects would require registration of a formal CVE number for the
> vulnerability (in practice security researchers register these numbers on a
> project's behalf.)
> 3. Projects would require a clear budget for the request (standard practice
> just like a code sprint or event)
> 4. Challenge: Some secure channel is required for this communication
> because mean people exist
> 5. Challenge: Funding for preventative measures is not supported to limit
> scope of this initiative
>
> If done correctly the initiative can raise funds as more organizations are
> sensitive to the security of the open-source components they have come to
> depend on. Ideally it can also be an outreach opportunity to engage with
> security professionals.
>
> I have added this topic to both the upcoming meeting
> <https://wiki.osgeo.org/wiki/Board_Meeting_2023-01-30> and 2023 budget
> <https://wiki.osgeo.org/wiki/OSGeo_Budget_2023#OSGeo_Initiatives>.
> --
> Jody Garnett
>
>
> _______________________________________________
> Board mailing list
> Board at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/board


-- 
Angelos Tzotsos, PhD
President
Open Source Geospatial Foundation
http://users.ntua.gr/tzotsos