Security Response Committee - Current Status? Future Plan?

[dims]

https://opentelemetry.io/docs/security/security-response/#public-disclosure-processes has one reference to Security Response Committee (SRC) and no other references to it anywhere else.

It also places the TC cncf-opentelemetry-tc@lists.cncf.io as an intermediary to the SRC.

Only other references in can find in github is in docs that are in draft status:
https://github.com/search?q=org%3Aopen-telemetry%20%2FSecurity%20Response%20Committee%2F&type=code

So is there a SRC?
Who is on it? How do you staff it?
What is it supposed to do?
When are drafts going to become policy?

xref: https://github.com/kubernetes/committee-security-response
xref: https://github.com/containerd/project/blob/main/SECURITY_ADVISORS
xref: https://github.com/argoproj/argoproj/tree/main/sigs/sig-security

[dims]

xref: cncf/toc#1739

[dims]

cc @TheFoxAtWork

[dims]

cc @ms-jcorley @eyang

[austinlparker]

cc @trask @reyang

[ms-jcorley]

I believe there was an attempt to create an SRC (similar to the Kubernetes project's version), but I don't think it ever got off the ground. We are in the process of re-writing the vulnerability management guidance to both reflect the reality of what is currently happening as well as give more crisp guidance to both reporters and the maintainers who are responding.

The latest PR on that:
open-telemetry/sig-security#129

It seems that we will also need to clean up documentation in other repo's, including the website, to match.

EDIT: "When are drafts going to become policy?"
Sorry, those are stale. I'll send a PR to remove the draft folder soon so they don't cause any confusion.

[ms-jcorley]

I've merged the PR for the updates to our process in SecSIG.
open-telemetry/sig-security#129

I've created a PR to remove the confusing draft docs from SecSIG:
open-telemetry/sig-security#141

I also created a PR to update the copy of the security response info that is on the website:
open-telemetry/opentelemetry.io#7235

[TheFoxAtWork]

Thanks @ms-jcorley, let us know when those are merged to close this issue.

[trask]

hi @TheFoxAtWork! these are all merged now

[TheFoxAtWork]

Fabulous thank you! CC @dims