Just to focus the question a bit at what you might be asking... On Wed, Dec 23, 2020 at 3:47 AM Mark Thomas <ma...@apache.org> wrote:
> On 23/12/2020 05:29, r00t 4dm wrote: > > Hello, > > > > Generally speaking, what conditions need to be met to join ASF security > team? > > - ASF member [1] > - Demonstrated understanding of security vulnerabilities over an > extended period of time (typically via membership of the security team > for one or more ASF projects) > Each project of the ASF has a Project Management Committee. They determine on a project by project basis whether that project will have a security list, and if so, a restricted subset of the PMC who are actively participating (or a superset of some guest experts, who are generally, but not exclusively committers.) The task of the ASF-wide security team is pretty narrow and mundane... simply ensure all projects are following best practices for communicating security issues, corresponding appropriately with reporters, and tracking reports spread across the organization. And lots of mentoring for projects not familiar with the process. The actual *work* happens project-by-project! So if there is a project you are concerned with, the best starting point is to participate in the dev list and help fix defects, and at some point you'll inevitably be asked to help solve security defects. Or bring actionable concerns to the project's security@ or private@ list for evaluation and discussion.
