Hello!
The Drupal Security Team is considering whether and how to engage with the press to achieve our goals. We're looking for a few people who have experience with PR who can help advise us on possible strategies and likely benefits/drawbacks of those strategies.
If we do decide to go ahead with some form of press engagement, we would want to find a few volunteers who can help us manage that process. Likely requirements of these volunteers include:
* identifying potential journalists to contact
* reaching out to journalists and managing relationships
* copy-editing media briefing emails
* working with security team members to respond to press inquiries
We're open to feedback either as comments on this issue, as emails to me, or perhaps in a live google hangout that we'll hold in a little bit to discuss the topic. If you're interested in the hangout, please comment here or email me to express interest and I'll coordinate some times.
Comments
Hello, We've had some
Hello,
We've had some discussions so far with a few security interested people and a few press-interested people and have nearly formulated our plan. If anyone would like to help provide feedback while its in draft form please ping me or comment here and I'll get in touch with a link.
The group's next step is to get agreement from the Security Team for our proposed processes and practices.
Once that's done I'll publish the draft here to get feedback from anyone.
Thanks!
knaddison blog | Morris Animal Foundation
Happy to review
Hey Greg!
I'd love to take a look and share thoughts.
cheers
Donna
Donna Benjamin
Former Board Member Drupal Association (2012-2018)
@kattekrab
Overall I think working with
Overall I think working with the press can be a very good thing for several reasons:
In terms of formulating the plan, I can be involved but my available bandwidth is fairly limited at the moment. If there is enough interest though, I think this would be a good thing.
Best,
-Rick
For what it's worth, here's a
For what it's worth, here's a pre-release notification from Bash http://seclists.org/oss-sec/2014/q3/650
They give a surprising amount of information for a pre-release notification.
knaddison blog | Morris Animal Foundation
Summarizing
Based on this public conversation and the conversations within the security team mailing list, it seems that there is a general consensus that this can be a good thing if executed correctly. The only dissenting opinions that were voiced revolved around whether on not this would be valuable enough to pursue and whether or not the team had the bandwidth to pursue it. However, given the motivation and willingness of some members (myself included) to make this happen, I don't think those concerns are strong enough to justify not move forward on this.
Therefore, I conclude that there is enough buy in from the team to move forward on this. If I'm mistaken or out of line in that assertion, please speak up so we can hash that out.
If I am correct, then the conversation should re-focus onto execution. Given the core release window of next week (should it be needed), I think we should focus on defining the next tasks as well as the protocol for managing this in conjunction with the security advisories.
I propose the following:
Not trying to overcomplicate this if a simpler approach would suffice. I'm just eager to get the ball rolling and breaking this down into next actions makes this more likely to get inspire momentum on this.
-Rick