Security Officer Duties - openssl/project GitHub Wiki

Duty Roster

  • Rotation Period: Every two weeks.
  • Rotation Policy: Engineers are rotated regularly to ensure fresh perspectives and prevent burnout.

Responsibilities

Monitoring Reports:

Conduct regular and frequent checks for new security reports.

The security reports are coming via the [email protected] mailing list which means the Security Officer must be subscribed to it and read the e-mails which were sent there.

Sometimes, there might be reports incorrectly coming to the public github or to the [email protected] mailing list. So the Security officer should monitor these two channels as well although with lower priority.

Initial Assessment and Communication:

Perform the initial triage of the reported issue to assess its validity and severity.

  • If the report is just a spam, ignore it.

  • If the issue is clearly not a valid security issue, but otherwise it is a legitimate e-mail, reply the reporter with the explanation of why this isn't a security issue.

  • For some types of non-issues we have a template reply:

Thank you for sending the report to the OpenSSL security team.  Your
report was for something in one of the categories below which
we do not class as a security vulnerability. These are things that we
are well aware of, the have been reported to us many times, but we do
not class as a security vulnerability and will not be taking any
further action.

Issues not classed as security relevant:

- A lack of DMARC or SPF records or incomplete records on our domains
- "Clickjacking" on our domains
- Directory listings.  These are deliberate and do not contain
sensitive information
- Open .git directories
- Public data, usernames in build servers
- Systems that disclose the versions of the servers and software we use
- Data that is publicly accessible in our bug tracking systems (such as JIRA)

Regards, OpenSSL Security
  • For issues that are valid bugs but not a security issue suggest the reporter to open a new issue in the public github.

Otherwise just promptly acknowledge the receipt of the report to the submitter, ensuring them that their report is recorded and will be addressed. This acknowledgment should also be communicated on the [email protected] mailing list for transparency and record-keeping.