Add PSWG Membership Guidelines document#1750
Conversation
Document the purpose, membership criteria, and operational guidelines for the Istio Product Security Working Group (PSWG). Include details on roles, responsibilities, and compliance processes.
istio-testing
added
the
size/L
| - Receive and triage security vulnerability reports and CVEs impacting Istio. | ||
| - Coordinate private remediation and disclosure. | ||
| - Manage CVE assignment and security releases. | ||
| - Provide a consistent, timely, and accountable security response process. |
There was a problem hiding this comment.
"Coordinate with other security teams in the OSS ecosystem and with industry partners on security sensitive topics"
| Istio Product Security Working Group (PSWG) Membership & Release Management | ||
| ====== | ||
|
|
||
| # Purpose |
There was a problem hiding this comment.
The heading on the top is rendering as an H1. You probably want to knock all the rest down by adding one # to each.
| @@ -0,0 +1,216 @@ | |||
| Istio Product Security Working Group (PSWG) Membership & Release Management | |||
There was a problem hiding this comment.
High-level thoughs:
-
"release management" is a topic with meaning in the CNCF. I think you're talking specifically about "security release management" (you're more specific in usage below) and it would make sense to change this. That said, you're effectively saying that "SRM is a requirement of being on the PSWG".
-
On L14 below, you create something like a circular dependency: "you must be on the early disclosure list", "to be on the list you must have a rep on the PSWG".
Given you're making a rather large definition here, and probably only want to do this once, I might suggest you consider whether you collapse these: I think you want it to be that if you are a member of the PSWG, your company is entitled to early notification.
| # Membership | ||
|
|
||
| ## Membership Definition | ||
| Membership criteria for the PSWG: https://github.com/istio/community/blob/master/EARLY-DISCLOSURE.md#membership-criteria |
There was a problem hiding this comment.
Is there a case where you might be on the PSWG but not meet the requirements for early disclosure, i.e. you're an evening coder who doesn't work for a company distributing Istio?
| Each member organization **must name at least one primary representative**. | ||
|
|
||
| ## Membership Requirements (Minimum) | ||
| PSWG member organizations must meet all requirements below: |
There was a problem hiding this comment.
(implies members are companies, not named individuals. Is this correct?)
| PSWG uses a graduated process to be fair and transparent: | ||
| #### Step 1: Notice of Non-compliance | ||
|
|
||
| PSWG lead(s) notify the member org representatives that they are not meeting requirements. |
There was a problem hiding this comment.
Where are leads defined? Are leads named people or organisations?
4 participants
Document the purpose, membership criteria, and operational guidelines for the Istio Product Security Working Group (PSWG). Include details on roles, responsibilities, and compliance processes.