[Board] proposed security initiative

Jody Garnett jody.garnett at gmail.com
Tue Oct 17 07:03:19 PDT 2023 

Indeed, you may also notice recent geoserver security policy change.

On Tue, Oct 17, 2023 at 1:17 AM Angelos Tzotsos via Board <
board at lists.osgeo.org> wrote:

> I think this will be highly relevant with CRA in the future.
> There is an open ticket about this:
> https://git.osgeo.org/gitea/osgeo/todo/issues/145
>
> On 1/18/23 00:07, Jody Garnett via Board wrote:
> > An idea that occurred to me last year, after successful running a
> > fundraising effort
> > <
> https://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html>
> > in response to log4j security issues, was that ... 2022 was terrible.
> >
> > The second idea was that we could help OSGeo projects respond more
> quickly
> > and professionally in the future.
> >
> > With this in mind I would like to propose an "osgeo security initiative"
> > with very limited emergency scope.
> >
> > 1. Projects apply when faced with an emergency in a fashion similar to
> the
> > code-sprint initiative
> > 2. Projects would require registration of a formal CVE number for the
> > vulnerability (in practice security researchers register these numbers
> on a
> > project's behalf.)
> > 3. Projects would require a clear budget for the request (standard
> practice
> > just like a code sprint or event)
> > 4. Challenge: Some secure channel is required for this communication
> > because mean people exist
> > 5. Challenge: Funding for preventative measures is not supported to limit
> > scope of this initiative
> >
> > If done correctly the initiative can raise funds as more organizations
> are
> > sensitive to the security of the open-source components they have come to
> > depend on. Ideally it can also be an outreach opportunity to engage with
> > security professionals.
> >
> > I have added this topic to both the upcoming meeting
> > <https://wiki.osgeo.org/wiki/Board_Meeting_2023-01-30> and 2023 budget
> > <https://wiki.osgeo.org/wiki/OSGeo_Budget_2023#OSGeo_Initiatives>.
> > --
> > Jody Garnett
> >
> >
> > _______________________________________________
> > Board mailing list
> > Board at lists.osgeo.org
> > https://lists.osgeo.org/mailman/listinfo/board
>
>
> --
> Angelos Tzotsos, PhD
> President
> Open Source Geospatial Foundation
> http://users.ntua.gr/tzotsos
>
> _______________________________________________
> Board mailing list
> Board at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/board
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/board/attachments/20231017/7173e811/attachment.htm>

More information about the Board mailing list