OSGeo Security Initiative

OSGeo Security initiative is *proposed* but not yet active. If you are interested in this activity please volunteer by adding your name to this wiki page.

Volunteers:

• Jody Garnett (GeoCat)

This is a challenging but important topic:

• Supply chain attacks taking advantage of Open Source communities causes real harm. Automated tools for reviewing software components are providing much greater transparency into supply chain attacks, but also putting a lot of pressure on open source projects.

• The relationship established between industry and security researchers has resulted in an accent CVE system to track and disclose vulnerabilities in a responsible fashion. Communication and response times established do not reflect the availability of resources to Open Source projects.

Once critical mass is reached we will ask the board to be created in order to pursue the above goals.

• Option: Update the financial guidance document with clear examples for security issue funding (in the same fashion as code sprints have clear guidance). As an example requesting projects should have a clear CVE established and have assessed their project as vulnerable before seeking support. A similar cost-sharing arrangement to codesprints is anticpated.

• Option: Establish an ongoing committee that can review incoming funding requests in a secure fashion on behalf of the board. This has privacy issues similar to the code of conduct committee and would need to be carefully considered.

While this initiative is not yet active, if your project faced with unexpected crisis please should reach out to OSGeo for assistance using the financial guidance document below.

References:

• OSGeo Financial Guidance provides application process