On Thu, Sep 20, 2012, at 10:50 AM, John Kinsella wrote: > As this topic came up again, I wanted to discuss it without stealing from > the IRC channel discussion. > > Basically - should CloudStack have a "security team" as a formal group? I > see real and marketing value for such a thing, but I don't want to create > structure/overhead that isn't needed. So really I guess my question to > the community is "Do you feel the need for such a team?"
I'll let others weigh in on this, but for the purpose of this discussion we should note the existing Apache Security Team: http://www.apache.org/security/ Anything we do should probably loop in the folks who are already on the security team, and look to them for advice/suggestions/cautions, etc. Note that the Apache Security Team is strictly concerned with vulnerability reporting/handling. It's also probably useful to read up on the project security for committers page for folks who haven't already: http://www.apache.org/security/committers.html Finally, we have to be very cautious about over-selling any security efforts when we're recommending best practices, etc. so that it's very clear that we're not providing any warranties of security and so forth. Best, Joe -- Joe Brockmeier j...@zonker.net Twitter: @jzb http://www.dissociatedpress.net/
