Summary
I'd like to propose that the security-wg develop a policy and set of practices to better handle the dramatic increase in folks escalating security issues to our mailing list.
Current State
- Our documentation includes an escalation path to the CNA mailing list
- Most projects include an escalation path after a set period of days to the foundation (examples 1 | 2 | 3)
- With the influx of AI, and signalgating hackerone, we are seeing a dramatic increase in mailing list escalations (see below)
- The mailing list is moderated, all have to be reviewed by a human (currently) for validity before approving
Growth Over Time
The Ask
I do not think this is sustainable and as a first line of review, LF staff does not have the expertise to vet these. For this reason I think we need to develop a combination of policy and workflow to better manage these requests, things that I think could be on the table:
- Revisiting the escalation policy
- Switch from email to an intake form or github issue with a template
- Simple decision tree (CNA related, goes to mailing list, if not goes to slack)
- Hackerone overflow path (something they go to before the mailing list)
- Canned responses
- A vetted pompt for AI to triage the email list, or prep the pending emails for review
- Other ideas from the experts
Summary
I'd like to propose that the security-wg develop a policy and set of practices to better handle the dramatic increase in folks escalating security issues to our mailing list.
Current State
Growth Over Time
The Ask
I do not think this is sustainable and as a first line of review, LF staff does not have the expertise to vet these. For this reason I think we need to develop a combination of policy and workflow to better manage these requests, things that I think could be on the table: