The Security Team is a trusted group. This team is responsible to review security reports and to proceed to a pro-active audit at each major release. Security Team members are added by vote by the Admins following recommendations of current members.
Release responsibilities
- Review all previously reported issues on dev & sent to security list.
- Ask bug reporters how they would like to be acknowledged.
- Contact all people that have helped in the past.
- Proceed to security audit as per our release procedures.
- run doc/devtools/securitycheck.php and check each "potentially unsafe" file.
- Check for presence of all .htaccess files
- Add files to robots.txt (printed pages, etc.)
- Update security.tiki.org with sections for new version
- Run Security DB
Ongoing responsibilities
- Keep up to date:
- Monitor what comes in on the security mailing list, and respond accordingly. Ex.: http://secunia.com/product/3356/?task=advisories
- Ask bug reporters how they would like to be acknowledged.
- Proactively finds ways to make Tiki more secure
- Release security patches
- Document current security-related things
- Filtering Best Practices
- Interactions with security researchers and companies
Coordinator
- The security team coordinator is Brendan Ferguson (drsassafras)
- All disclosures are in the tracker and followed up in a timely fashion
- Makes sure proper credit is given to researchers for responsible disclosures
Task
- Document how to run SecDB for people running from SVN
- SecDB update is incorporated into
doc/devtools/svnup.phpnow (since Tiki 16 i think )
- SecDB update is incorporated into
Members
Brendan (drsassafras) is the security team coordinator, and John Chishugi is the assistant-coordinator.