[Voting Closed] Jenkins Security MVP 2023 🏆

[alyssat]

This issue is to receive nominations for the Jenkins Security MVP 2023. This award is presented to an individual most consistently providing excellent security reports or resolving security issues.

To nominate someone, reply to this issue with the following:

1. Full name of the person you’re nominating
2. Short description of their contributions to Jenkins and why they should win.

Nomination Deadline: Friday, March 3, 2023

Please note: Last year's winner, Wadeck Follonier, cannot win the award for Jenkins Security MVP again this year.

More details are available here https://github.com/cdfoundation/foundation/blob/main/CDF%20Awards%20Guidelines.md

[smerle33]

I would like to nominate:

• Damien Duportal @dduportal
• For is continuous work on the security on the jenkins-infra, not only by following all the best recommendations in the matter but also for being pro active and tackling the whole security problem from the ground.

[Wadeck]

Devin Nusbaum @dwnusbaum

• For his very deep understanding of the Groovy sandbox that is key for the Pipeline feature of Jenkins
• His numerous reports on that plugin (recently SECURITY-2824, SECURITY-3016)
• Also, his huge contributions to the corrections themselves
• Finally, he's always available to brainstorm with the security team about its process

[Wadeck]

Daniel Beck @daniel-beck

• For the Jenkins code scanning tooling project he started and went to GA recently (announcement)
• His ever ending improvements on the security documentation for jenkins.io
• 50+ vulnerabilities reported by Daniel that were published during last year
• His continuous effort to ensure the update center is stable and secure

[daniel-beck]

Valdes Che Zogou @ValdesChe reported several dozen security vulnerabilities in Jenkins and Jenkins plugins in 2022.

Most notable findings:

• SECURITY-2761 / CVE-2022-34171 in Jenkins, from which we went on to discover several additional XSS vulnerabilities introduced in then-recent releases of Jenkins.
• SECURITY-2760 / CVE-2022-34176 in JUnit Plugin

Of course there are many others, Valdes was credited in most security advisories in the second half of 2022, and beyond.

[daniel-beck]

Kevin Guerroudj @Kevin-CB joined CloudBees and the Jenkins security team in late 2021, quickly becoming a prolific contributor. Since he joined he has reported well over a hundred security vulnerabilities, and has been credited in almost every advisory since then. Many of his discoveries were the result of in-depth reviews of the Jenkins plugin ecosystem. Plugins that are safer now due to his discoveries include Badge, CVS, Dashboard View, Git Parameter, GitLab, Jira, Node and Label parameter, and promoted builds.

These are not his first contributions to Jenkins security though. Kevin has already been nominated previously in 2021 for his contributions to Jenkins security during his coursework at university.

He's also a frequent reviewer of new plugin hosting requests, ensuring a high standard of security for newly hosted plugins.

[MarkEWaite]

I second the nomination of @daniel-beck for his contributions to security processes, security documentation, and security issues. He's a dedicated and skilled contributor that provides excellent guides that allow others to participate in security fixes. I've benefited from his clear descriptions and his high standards in software development and in documentation.

[kmartens27]

At this time, the nomination period has closed, and the voting period has opened. To participate and vote, use this link to navigate to the google form and fill out your responses.

[kmartens27]

This issue is being closed, as the voting period has now ended, and the Jenkins awards winners will be announced at cdCon 2023 (May 8-9). Thanks to all for participating and helping us recognize the amazing contributions and work that has been done over the past year.