Posted by moshe weitzman on September 23, 2006 at 5:54pm
Notes from our session
- Documentation needed
- checklist for security reviews
- one page docs on XSS, SQL injection, db_rewrite_sql, ...
- Add link and form for submitting security review on a project.
- Only show positive reviews. Bad reviews send email to security team and owners
- Possible show security advisories for some period of time on a project
- Add an security acknowledgement checkbox to the CVS request form. I agree and understand
- Ad security paragraph to the welcome msg refers for contrib access
- Outreach to contrib authors. Newsletter, screencasts, ...
Comments
Show security advisories on projects
Would the advisories need to be added to a project manually? If so adding them should be restricted to member(s) of the security team.
Any thoughts of how long to leave advisories up for? Expiring after a year sounds good to me.