Differences

This shows you the differences between two versions of the page.

--- dev:security [2015/03/12 16:26] – security team relaunch gmcharlton
+++ dev:security [2023/06/01 13:22] (current) – [How are security fixes released?] master to main dyrcona
@@ Line 4: / Line 4: @@
 You can report a security-related issue in Evergreen via the bug tracking system at https://bugs.launchpad.net/evergreen -- be sure to check the box labeled "This bug is a security vulnerability".
+While we prefer that security bugs be reported via Launchpad, they can also be reported to [[mailto:security@evergreen-ils.org|security@evergreen-ils.org]].
 NOTE: If you are an active Evergreen "bug wrangler" or similar, you may instead have an option to change "This bug contains information that is:" from "Public" to "Private Security".
@@ Line 28: / Line 30: @@
 ====How are security fixes released?====
-After testing, the code will be merged to the relevant public Evergreen branches (origin/master, origin/rel_2_3, …) and the Launchpad entries will be marked as Fix Committed.  From here, the process proceeds the same as a regular non-security release, though every effort will be made to cut the releases in a timely fashion.
+After testing, the code will be merged to the relevant public Evergreen branches (origin/main, origin/rel_2_3, …) and the Launchpad entries will be marked as Fix Committed.  From here, the process proceeds the same as a regular non-security release, though every effort will be made to cut the releases in a timely fashion.
 ====How are security releases announced?====
@@ Line 54: / Line 56: @@
 Membership applications may be made by contacting one of the current
 security team members; a list of the current members' names will be
-maintained on the Evergreen wiki.
+maintained on the Evergreen wiki.  [(**Proposed addition, pending approval**) Application for membership should include indication that you have read and agree to the conditions stated above.]
 Violations of the promises in (2) and (3) may result in immediate
@@ Line 72: / Line 74: @@
 restricted resources in order to carry out their work:
-  * membership in the private security group on LaunchPad, which will allow them to see and
+  * membership in the private security group on LaunchPad, which will allow them to see and act on bugs that are marked as private security bugs
   * a subscription and access to the private archives of the open-ils-security mailing list
   * access to the Git repositories hosting security patches in progress.
+==== Current security team members ====
+  * Thomas Berezansky
+  * Galen Charlton
+  * Jeff Davis
+  * Bill Erickson
+  * Jeff Godin
+  * Rogan Hamby
+  * Kathy Lussier
+  * Mike Rylander
+  * Dan Scott
+  * Chris Sharp
+  * Ben Shum
+  * Jason Stephenson
+  * Yamil Suarez
+  * Dan Wells
+  * Liam Whalen