Create Security Team Folder and place holder files for items that need to be added. #7043
Conversation
|
Thanks for sending the PR @akgraner! Took a small look and had some nits regarding the namings and folder structure. By being inspired at what we did for the release team https://github.com/kubeflow/community/tree/master/releases what I'd suggest would be: The above are minor nits, but I believe will help ensure we use similar names for similar files across the project. |
|
@kimwnasptd thank you! I'll get those fixed. Appreciate the feedback. |
redoing the entire directory and starting this again.
|
delete the original directory and folders and added the directories and folders in the correct format |
|
Thanks! /lgtm |
Added the first iteration of the Kubeflow Security Team's Policies and Procedures.
added place holders for Security Team Roadmaps.
Removed an OWNER who is not part of the org yet and added Josh and Kimonas so that we don't miss any requests.
|
Thanks everyone for all the feedback. Much appreciated.
@kimwnasptd and @james-jwu can you please review. I think it should be good to go now. |
|
looks great @akgraner, thank you! /lgtm |
|
/assign @theadactyl @james-jwu |
security/policies-and-procedures.md
Outdated
|
|
||
| The Kubeflow Security team (listed below as “we”) will take a multi-level, transparent approach to the security of Kubeflow (product/code). At this time we will base this effort to align with each release. As noted above as we get more volunteers to help with these efforts we will continue to iterate on the cadence. | ||
|
|
||
| 1. We will encourage Kubeflow users to open issues with the respective WG that the vulnerability was found and tag it with the “security” tag. If they don’t know how to do that or don’t feel comfortable doing so, they can also contact us via our #security slack channel. And if a private mailing list/group is needed we will set that up. |
There was a problem hiding this comment.
It is strongly recommended that we don't add a security tag to an open issue.
You can find a security template put up by CNCF in https://github.com/cncf/tag-security/tree/main/project-resources.
Most CNCF projects right now use email to notify security issue. GitHub just released their private vuln reporting feature (https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). Either email shared among the people who will be responsible for vuln response or this new GitHub reporting channel are fine.
There was a problem hiding this comment.
@zijianjoy, I agree, but when I asked about getting an email created for the security team there was some push back. Since Google has to create the email address can you all create a security@kubeflow.org email for the team. The Working Groups asked that security issues related respective working groups be filed there so (at the time) without being able to create an official email for the group and the resources we had available we came up with the above process. I'll take a look at the resources you have listed and rework the process and bring it up to the group on the 24th at our next meeting.
In order to get this PR approved if I change this file to say we are currently working on the process and a link to our meeting notes would this work for sake of approving this?
There was a problem hiding this comment.
We are in discussion about creating such email address. Make sense to track this effort in another PR. At the meantime, James Wu has LGTMed your PR here. This PR looks good to me too.
Took out the policy and procedures wording based on James Liu's comments. And will rework this based on the suggestions provided and present to the Security Team for our next meeting.
Removed jbottom from Owners list
|
@james-jwu and @theadactyl - in addition to the list from earlier this morning, I also removed the wording for the policies and procedures and will rework this based on @zijianjoy's suggestions above. I removed @jbottum from owner's list. Can this PR now be approved? |
security/policies-and-procedures.md
Outdated
|
|
||
| Kubeflow Security Team [Policy and Procedure Working Document] (https://docs.google.com/document/d/1vw_efQyYG_zWEoL-vk9mZQX5p7fOcl3RTG6pcxMhYKI/edit?usp=sharing) - Please note this is only a **WORKING** Document. | ||
|
|
||
| We are always looking for Kubeflow community users and contributoes to help us. If you would like to help the security team with these docs or other items please consider doing the following: |
There was a problem hiding this comment.
@james-jwu - Thank you! Fixed this typo.
security/policies-and-procedures.md
Outdated
| We are always looking for Kubeflow community users and contributoes to help us. If you would like to help the security team with these docs or other items please consider doing the following: | ||
| * Join the Kubeflow Slack Security Channel: #security | ||
| * Join our meetings bi-weekly on the Wednesday's at 8am Pacific/10am Central. (To find out what that is in your time zone go to [timeanddate.com](https://www.timeanddate.com/). This meeting is on the Kubeflow community calendar; however if you would like to be added to the invite please reach out to Amber Graner on Slack (@akgraner) The invite information is also pinned to the security slack channel. | ||
| * Meeting Notes: If you would like to see what we have previously discusses you can see the meetings folder in the security folder or you can go to our [gdoc](https://docs.google.com/document/d/1xGkg9GuO2OjvYhdONJFbSrpF66UKhtYonczttJoTv3s/edit?usp=sharing) |
There was a problem hiding this comment.
@james-jwu - Thank you! Fixed this typo.
|
/lgtm |
fixed typos and hyperlink
|
@james-jwu fixed the typos and the broken hyperlink which removed your lgtm. Sorry about that. Can you re-approve? Please and thank you. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: eslerm, james-jwu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
No description provided.