Add security working group #38
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,109 @@ | ||||||
| # Security Working Group | ||||||
|
|
||||||
| 🚧 Draft charter: this working group isn't currently approved. The proposal is for establishing a formal security team to coordinate Django's security efforts. | ||||||
|
|
||||||
| This charter proposes the formation of an official Security Working Group to formalize and expand the security coordination efforts that have been part of Django's development process. The Security Working Group will be responsible for ensuring that Django and associated projects maintained by the Django Software Foundation maintain high security standards and respond effectively to security incidents. | ||||||
|
|
||||||
| ## Responsibilities | ||||||
|
|
||||||
| This working group will focus on security aspects of the Django project. The team will be responsible for addressing security concerns, reviewing vulnerability reports, and providing guidance on security best practices throughout the Django ecosystem. | ||||||
|
|
||||||
| The duties of the working group are: | ||||||
| - Receive, triage, and respond to security vulnerability reports for Django | ||||||
| - Coordinate the release of security patches with the Django release team | ||||||
| - Review security-related pull requests across Django projects | ||||||
| - Provide security guidance on Django features and APIs | ||||||
| - Monitor the security landscape to proactively identify potential vulnerabilities | ||||||
| - Help maintain Django's security documentation | ||||||
| - Develop and maintain security-related packages in the Django ecosystem | ||||||
| - Provide security advice to Django package maintainers when requested | ||||||
|
There was a problem hiding this comment. Suggestion: If this is going to be done, I think it should be separate from the vulnerability report address, which is already fairly noisy from spam. There was a problem hiding this comment.
|
||||||
| - Assist with security aspects of the djangoproject.com website | ||||||
| - Mentor new contributors interested in Django security | ||||||
| - Run or support security-focused sessions in DjangoCon sprints | ||||||
| - Chair, Co-Chair and Board Liaison can sign off on security decisions | ||||||
|
There was a problem hiding this comment. Question: What is a "security decision"? There was a problem hiding this comment. Also... sign off... — who's doing that? WG's get their powers from the Board or (since #36) the Steering Council. (The point being there that the Board doesn't have responsibility for technical decisions.) Security being a technical question, those powers would come from the Steering Council. DEP 10, however, has explicit mention that the SC may not hold up a release (for example) that the Security Team has approved. That makes sense: the SC aren't going to hold up a security release. In this sense (at least some) Security Team decisions are not to be signed off even by the body (SC) which extends them their powers (under the WG rubric). I can imagine other aspects which could be referred back to the SC, at least in principle. I think all that could do with clarifying. There was a problem hiding this comment. If the wording is meant to be that the Chair or Co-Chair approve security releases, I'm not opposed to that, even if just to ensure the WG are wholly aligned on the release. There was a problem hiding this comment. For what it's worth, DEP 10 explicitly intended for the security team to have the power to act on its own initiative without needing to consult any other governance body in advance, because sometimes the security team has to get something out the door Right Now. The idea was that the appropriate technical governance body could review after the fact and ask for further action to be taken, but would never be able to prevent security team action or require approval in advance. |
||||||
|
|
||||||
| ## Initial membership | ||||||
|
|
||||||
| - Chair: TBD | ||||||
| - Co-Chair: TBD | ||||||
| - Board Liaison (must be an active Board member; may be the same as Chair/Co-Chair): TBD | ||||||
| - Other members: | ||||||
| - TBD | ||||||
| - ... | ||||||
|
There was a problem hiding this comment. I assume this will be the Security team members as-is? There was a problem hiding this comment. This is perhaps a good opportunity to check with the existing members whether they'd like to continue their position. I think at least for the migration to a WG, we shouldn't switch members too much during the transition. There was a problem hiding this comment. We did a round of that at the end of last year, so I don't think we need to do another check-in quite so soon. |
||||||
|
|
||||||
| ## Future membership | ||||||
|
|
||||||
| ### Who is eligible to join? Any volunteer, or are there specific requirements? | ||||||
|
|
||||||
| Members must have interest in Django security and should have experience with web security concepts, particularly as they relate to Django applications. Prior experience with Django and its security mechanisms (e.g., CSRF protection, XSS protection) is highly recommended. Members should be familiar with the Django [security release process](https://docs.djangoproject.com/en/dev/internals/security/) or willing to learn. | ||||||
|
|
||||||
| We welcome contributors with various levels of experience, but due to the sensitive nature of security work, members should demonstrate a track record of responsible security practices. Experience with security vulnerability assessment, analysis, or remediation is a plus. | ||||||
|
Comment on lines
+36
to
+40
There was a problem hiding this comment. I think this needs to be a little stricter. Because the WG deals with vulnerability reports, I think this needs to retain the "invite only" nature. Membership takes more than just "experience with web security concepts". |
||||||
|
|
||||||
| ### Access granting and deployment | ||||||
|
|
||||||
| Initial onboarding phase where only Chair and Co-Chair have permissions to access security reports and coordinate responses. After onboarding of 6 months, other group members who have proven their expertise will be granted access to the security issue tracker and response coordination at the discretion of the chair and co-chair. | ||||||
|
There was a problem hiding this comment. Thought: This seems to separate being on the WG and being involved in vulnerability response. That feels like it creases an "inner circle" in the group, which should probably be avoided. |
||||||
|
|
||||||
| The deployment of security fixes will be coordinated with the Django release team and the ops team. | ||||||
|
|
||||||
| ### How do people who want to join sign up / volunteer / express interest? | ||||||
|
|
||||||
| Individuals can express interest by opening a PR to this working group repository using a template, adding their names in the list of members along with a brief description of their security experience and motivation to join the group. | ||||||
|
|
||||||
|
Comment on lines
+50
to
+51
There was a problem hiding this comment. Issue: I think this needs to remain invite-only. There was a problem hiding this comment. Would there be a benefit to having an avenue for community members to register their interest and state their experience to join? I don't think that necessarily means they would be able to join. The Fellowship and CoC work similarly where the membership is tightly controlled and not open. There was a problem hiding this comment. There used to be a process to apply to receive advance notification of security releases, which included details and patches. This was intended for packagers/distributors of Django and for some of the largest and potentially highest-impact organizations using Django, to give them a bit more time to prep for a security release and to ensure they didn't get caught by surprise. But that just attracted way too many low-quality applications from people saying "I am interested in this, please add me to the list", and eventually it was wound down. Now we have a different process where a small list -- which does not have a public application process and is managed entirely by the security team -- of entities (i.e., Linux distros) get full details in advance and there's a public mailing list that gets generic statements that there will be a release on I think any sort of "register your interest" would end up the same way, and I don't want to create anything that would give people the expectation they'd be added to the security team eventually if they fill out a form and wait. |
||||||
| Alternatively, individuals can send an email to the Chair or Co-Chair expressing interest and outlining their qualifications and motivation. | ||||||
|
|
||||||
| ### How will decisions on adding/removing members be handled? | ||||||
|
|
||||||
| Direct membership: new members may self-nominate; the WG will vote (50%+1) to approve/deny new members. The WG will vote for New Chair/Co-Chairs and decision to appoint will be based on gaining majority votes. | ||||||
|
|
||||||
| Members join the group for one year term. At the end of this term, they need to opt into staying involved to keep being a member of the group. | ||||||
|
|
||||||
| Due to the sensitive nature of security work, members who fail to adhere to responsible disclosure practices or exhibit other concerning behavior may be removed by a vote of the working group (50%+1) or by decision of the Chair and Co-Chair in consultation with the Board Liaison. | ||||||
|
There was a problem hiding this comment. Issue: I think for the sake of Django's security, this needs to be a little stricter.
Suggested change
|
||||||
|
|
||||||
| ## Budget | ||||||
|
|
||||||
| No allocated budget. | ||||||
|
|
||||||
| Sums may be provided for specific activities (e.g. security audits, external consultancy, security tooling, bug bounty programs) subject to approval by the DSF board. | ||||||
|
|
||||||
| ## Communications | ||||||
|
There was a problem hiding this comment. Suggestion: To ease openness, since by definition the group is fairly closed, should there be some kind of discussion minutes / monthly updates from the team? Obviously vulnerability details (even number of reports) can't be included, but other discussions probably can be. That way people outside the WG can get involved in some discussions. I'm thinking in a similar model to what the current Steering Council do. |
||||||
|
|
||||||
| - Private channel in the DSF slack for internal discussions | ||||||
| - Encrypted communication channels for sensitive security discussions | ||||||
|
There was a problem hiding this comment. Thought: This currently happens by email (without PGP). Is there a need to keep this separate. For context, the Wagtail security team do all discussions in a private Slack channel. |
||||||
| - Public reports of resolved security issues on the Django security page | ||||||
| - The Django forum sub-section "Security" of Django Internals for general security discussions | ||||||
|
|
||||||
| ## Reporting | ||||||
|
|
||||||
| We'll maintain a private log of all security reports and their resolutions. Public disclosures will follow Django's established security release process. | ||||||
|
There was a problem hiding this comment. There's an email history from the list, but otherwise I don't think there's a "log" of reports (besides ones which are published). |
||||||
|
|
||||||
| The working group will provide quarterly reports to the DSF board summarizing activities (with sensitive details redacted as appropriate). | ||||||
|
|
||||||
| ## Appendix | ||||||
|
|
||||||
| ### Group activities | ||||||
|
|
||||||
| As an illustration of the group's remit, here are possible activities members could take part in: | ||||||
|
|
||||||
| #### Security Review Process | ||||||
|
|
||||||
| - Establish a formal process for reviewing security-related PRs across Django projects | ||||||
| - Create templates and checklists for security assessments | ||||||
| - Develop guidelines for security considerations in code reviews | ||||||
|
|
||||||
| #### Security Documentation Enhancement | ||||||
|
|
||||||
| - Regularly review and update Django's security documentation | ||||||
| - Create more comprehensive guides for security best practices | ||||||
| - Develop case studies of common security vulnerabilities and their solutions | ||||||
|
|
||||||
| #### Security Training | ||||||
|
|
||||||
| - Develop training materials for Django contributors on security topics | ||||||
| - Host workshops or office hours for package maintainers seeking security advice | ||||||
| - Prepare security-focused sessions for DjangoCon events | ||||||
|
|
||||||
| #### Proactive Security Measures | ||||||
|
|
||||||
| - Conduct periodic security reviews of Django's codebase | ||||||
| - Monitor CVEs and other security disclosures for relevant vulnerabilities | ||||||
| - Explore integration of additional security tools in the Django development process | ||||||
|
There was a problem hiding this comment. How we approached this with the Accessibility Team was to redefine it here with the existing scope with minor adjustments to scope and governance. I think reducing these to what is done today and what is needed to keep Django moving forward may work better for this PR. |
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: Explicitly mention that other projects under the Django umbrella are in scope.