-
Notifications
You must be signed in to change notification settings - Fork 2
Scope ISIG & ISRT
As Islandora emerges as a framework for sophisticated repository development, security properties of both implementations and specifications become critical. This Interest Group shall provide a forum for institutions, designers, implementers, and other interested parties to work toward improving specifications and implementations to advance security of the Islandora stack overall. The group is, in particular, focused on the security properties of Islandora and related modules, APIs, technologies and post incident responses.
As an Interest Group, this group meets first Wednesday of the month or as needed. ISIG shall generate reports for the Islandora Community Manager and alert the Islandora Security Response Team (ISRT) as needed. ISIG Shall discuss and work to uncover potential security vulnerabilities associated with the Islandora stack. ISIG shall suggest procedures and policies associated with these items to the Roadmap Committee.
The Security Response Team is a defined group with a non-publically-disclosed membership who will meet as needed, and respond to and fix security vulnerabilities with complete documentation on the vulnerability fix. Communications will be conducted in private channels until a fix has been implemented. Procedures and constraints will be developed by ISIG with ISRT in coordination with a representative of the Islandora Foundation. The ISRT follows the Islandora Committers Workflow as defined by the community except for the wait time between a pull request and a merge - when a security fix is implemented, these events will be coordinated to be (nearly) instantaneous.
New members may join the ISRT by being nominated in an email to security@islandora.ca. The members of the ISRT will perform an Apache-style (+1/0/-1) vote on the new member. The nominee must meet Islandora Committers criteria and shows a high degree of understanding or desire to learn regarding security practices. The nominee (and roadmap if successful) will be informed by a representative of the Islandora Foundation. Even if a candidate meets the criteria they may not be accepted immediately because there is a need to keep the team lean. However we will strive to be as inclusive as possible. A member of the Response Team may remove themselves from the team by sending an email to security@islandora.ca stating their intention. Policies on member retainment will be documented.
The team will respond to emails sent to security@islandora.ca. The team will provide an initial security assessment report of the risk and impact to a representative of the Islandora Foundation. The team will provide a fix in the form of a patch or an update to repos associated with the incident. Team members will participate in ISIG meetings.
- A bug reporter (anyone) sends an email regarding a security flaw to “security@Islandora.ca”.
- A representative of the Islandora Foundation responds to reporter within two business days and if necessary gathers more information on the reported issue.
- A member of the ISRT creates a Duraspace Ticket, tagged as “sensitive” (which in Jira, only ISRT members can see).
- Arrange to convene a ISRT call within two business days of the original report.
- The ISRT develops an initial security assessment report of the risk and impact, which is sent to a representative of the Islandora Foundation.
- The ISRT develops a fix with the decided parties.
- The ISRT provides a fix in the form of a patch or an update to the GitHub repository associated with the incident, including updates to the README.md if needed.
- An ISRT member who did not contribute code will review, test and later merge feeding back to development as necessary.
- A member of the Islandora Foundation sends a to the Islandora community mailing list that a security update is going to be released, specifying the components that will be affected without disclosing sensitive information. This will occur 24h before the co-ordinated pull request (next step).
- A member that worked on the code will submit a Pull request, at which point the information about the security vulnerability will, (by necessity) become public.
- The assigned tester will Merge Pull request immediately. The JIRA ticket (to this point private) will be closed, and will be made public.
- A final report will be sent to ISIG and a representative of the Islandora Foundation concurrently with code deployment.
Note: The ISRT will make the determination if any additional people should be included in the resolution development. Only private communication channels will be used until the fix is public. The only ISRT communications required to be public is the Duraspace ticket after the fix is accepted. Further communications as deemed necessary will be done by a representative of the Islandora Foundation.
- Received Email forwarded from “security@Islandora.ca” on a possible concern