OSGeo Security Initiative
OSGeo Security initiative is *proposed* but not yet active. If you are interested in this activity please volunteer by adding your name to this wiki page.
- Jody Garnett (GeoCat)
This is a challenging but important topic:
- Supply chain attacks taking advantage of Open Source communities causes real harm. Automated tools for reviewing software components are providing much greater transparency into supply chain attacks, but also putting a lot of pressure on open source projects.
- The relationship established between industry and security researchers has resulted in an accent CVE system to track and disclose vulnerabilities in a responsible fashion. Communication and response times established do not reflect the availability of resources to Open Source projects.
Once critical mass is reached we will ask the board to be created in order to pursue the above goals.
- While a specific mandate is not yet available while the committee forms, see initiative proposal by Jody Garnett for some ideas
- Option: Update the financial guidance document with clear examples for security issue funding (in the same fashion as code sprints have clear guidance). As an example requesting projects should have a clear CVE established and have assessed their project as vulnerable before seeking support. A similar cost-sharing arrangement to codesprints is anticpated. There is already a secure line of communication available to community members to contact the board.
- Option: Establish an ongoing committee that can review incoming funding requests in a secure fashion on behalf of the board. This has privacy issues similar to board communication and code of conduct committee and workflow would need to be carefully considered.
While this initiative is not yet active, if your project faced with unexpected crisis please should reach out to OSGeo for assistance using the financial guidance document below.
- OSGeo Financial Guidance provides application process
This is the initial proposal to the board:
proposed security initiative
An idea that occurred to me last year, after successful running a fundraising effort in response to log4j security issues, was that ... 2022 was terrible.
With this in mind I would like to propose an "osgeo security initiative" with very limited emergency scope.
- Projects apply when faced with an emergency in a fashion similar to the code-sprint initiative
- Projects would require registration of a formal CVE number for the vulnerability (in practice security researchers register these numbers on a project's behalf.)
- Projects would require a clear budget for the request (standard practice just like a code sprint or event)
- Challenge: Some secure channel is required for this communication because mean people exist
- Challenge: Funding for preventative measures is not supported to limit scope of this initiative
If done correctly the initiative can raise funds as more organizations are sensitive to the security of the open-source components they have come to depend on. Ideally it can also be an outreach opportunity to engage with security professionals.
I have added this topic to both the upcoming meeting and 2023 budget.
This while the committee was not ready in time for the budget process the OSGeo board is following up on the activity here.