- Received Email forwarded from “security@Islandora.ca”
- Respond to person and gather more information on the reported issue.
- Create a Duraspace Ticket, tagged as security or sensitive (TBD)
- Arrange to Convene a ISRT call within 2 business days of the original report
A determination if any additional people should be included in the call and or resolution development
- Roadmap Committee member(s)
- Committer(s)
- Repository Maintainer(s)
- Other
Only Private Communication channels will be used until the fix is public
- Develop an initial security assessment report of the risk and impact.
- If the Repository manager isn't involved a ISRT member will be assigned as the tester and is excluded from code development for this fix
- Send initial report to a representative of the Islandora Foundation.
- Develop a fix with the decided parties
- Provide a fix in the form of a patch or an update to repository associated with the incident. README.md will be update if needed.
- The assigned tester will test the patch when ready
- A member that worked on the code will submit a Pull request
- The assigned tester will Merge Pull request
- A final report will be sent to ISIG and a representative of the Islandora foundation
- Note: The only communication required to be public is the Duraspace ticket after fix is accepted and will be done by a representative of the Islandora foundation
Occasionally an email will be sent to ISRT to determine which members wish to continue to be on the response team.
The is a set time to respond, otherwise it is assumed the member is no longer interested in volunteering for the ISRT responsibility.