[Bug 510992] [security] Formally represent PMCs on the Security Team
|Reported||Jan 24, 2017 15:49 EDT|
|Modified||Feb 05, 2021 16:21 EDT|
Membership on the security team is currently ad hoc. I think that we should consider getting each of the PMCs to nominate one or more representatives to the security team.
These representatives would be automatically added to the firstname.lastname@example.org mailing list and so would receive all notices of security/vulnerability reports and have the opportunity to action those reports on behalf of their projects.
In practical terms, this will require the creation of a new project relationship in the database and an update to the process that maintains the mailing list based on that new relationship.
Is there any reason why this should be limited to PMCs? i.e. does it make sense for a regular project to have a security representative? Perhaps this is required for all PMCs, but optional for projects...