Hi Stamatis, Thanx for starting the thread, I can volunteer as well. -Ayush
On Tue, 12 Sept 2023 at 13:43, Stamatis Zampetakis <zabe...@gmail.com> wrote: > > Hey everyone, > > When someone discovers a potential security vulnerability for Hive (or > any other Apache project) they can opt to inform the PMC of the > project by following the ASF guidelines [1]. For Hive, the report > should be sent to secur...@hive.apache.org. > > Next, the PMC follows the steps outlined in [2] to process the report > and if it is deemed necessary release a fix for the vulnerability. > > In order to make the CVE process as smooth as possible and ensure that > CVE reports are addressed in a timely manner I would like to introduce > the notion of a "CVE mentor". > > The "CVE mentor" is the one responsible for bringing the reported CVE > to completion ensuring that the steps in [2] are followed. They are > the principal contact person between the reporter of the vulnerability > and the PMC and the one who leads the discussions. The triage and fix > can be done by the mentor or entrusted to a committer (ensuring of > course that everything remains private till a fix is officially > released). Given that we need to release a fix very soon after a > vulnerability is fixed the mentor may also need to act as the release > manager. Since the reports arrive in the private list the CVE mentor > should be someone that has access to the security list (all PMC and > few other individuals). > > However, for the idea to work we need a few people (preferably PMC) to > volunteer for the role of the "CVE mentor". Then the volunteers can > pick incoming CVE reports in a round robin fashion. Needless to say > that since I am the one proposing it, I would like to be part of the > list. > > Any additional thoughts or suggestions on how to improve this process > are very welcomed. Also if you like the idea and want to volunteer > please reply to this email to add yourself to the list. > > Best, > Stamatis Zampetakis > > [1] https://www.apache.org/security/ > [2] https://www.apache.org/security/committers.html#possible