security reviewers must not have a conflict of interest

[ultrasaurus]

We are practicing this, but we need some language that describes exactly what we believe represents a conflict of interest.

For starters:

• no one who is on the core team of the project should be a security reviewer
• if someone is a user of the project or has contributed a PR, that is fine (and would be positive attribute for a reviewer)

[ficcaglia]

at the very least anyone actively contributing to the opinions published to the TOC should (voluntarily) PR their own attestation. whether it is vetted or not is secondary...at least we will have something in the commit stream that we can refer back to later if ever needed. maybe it is as simple as:

_ I have no known conflicts of interest.
_ I have a non-financial conflict of interest (e.g. I am a core contributor)
_ I have a financial conflict of interest (e.g I am an employee of a company monetizing this project, or investor, etc.)
_ I am a nation state hacker who wants to subvert the project (haha)

[ultrasaurus]

this is a great suggestion -- where would we put this? it might be most convenient in the issue or perhaps a template for each security assessment...?

[ultrasaurus]

This would be a great issue for someone to take on who is interested in getting involved with security assessments (or just willing to help with governance). Next steps would be a specific suggestion of which doc(s) to add this to and how to adjust the process to include this step.

[lumjjb]

I will take this up. Assigning myself.

[ultrasaurus]

Just wrote up cncf/toc#270 to suggest that there be guidelines from the TOC, which we don't have to wait for, but definitely want to reference and contribute to.

[lumjjb]

Thanks @ultrasaurus ! Sorry been a bit behind on this. I will write this up soon, and also probably will be one of the first to test this out because of Redhat Keycloak assessment. :)