docs/security: added workinggroup.rst and securitylead.rst

Signed-off-by: Sage McTaggart <sagemct@ibm.com>

diff --git a/doc/security/securitylead.rst b/doc/security/securitylead.rst
new file mode 100644 (file)
index 0000000..1433e79
--- /dev/null
+++ b/doc/security/securitylead.rst
@@ -0,0 +1,14 @@
+The CSC designates a member as Security Lead, with responsibility for
+co-ordinating security posture. The Security Lead also keeps the CSC updated
+about vulnerabilities within Ceph and progress toward addressing them. The lead
+notably drives resolution of critical vulnerabilities.
+
+A responsibility of this role will be to give a monthly status report to the CSC
+on vulnerabilities and novel security concerns, such as AI exploit scanners and
+quantum-resistant encryption. They will also update the CSC with new and
+improved security processes. The Security Lead is the point of contact for and
+has responsibility for ensuring the proper intake, triage, and assignment of
+security vulnerabilities, and coordinate open source unembargos of security
+vulnerabilities when fixes are ready. This person will maintain the
+security@ceph.io email list, checking it regularly, and ensuring stakeholder
+emails are kept up to date on an occasional basis.

diff --git a/doc/security/workinggroup.rst b/doc/security/workinggroup.rst
new file mode 100644 (file)
index 0000000..8dcbc65
--- /dev/null
+++ b/doc/security/workinggroup.rst
@@ -0,0 +1,33 @@
+In order to fully support Ceph, the security working group
+co-ordinates security improvements. This is essential as industry
+focuses more on security, and Ceph has become a mature software
+project. Vulnerabilities have increased in number and in complexity,
+and are expected to continue to do so. A reactive process is no longer
+adequate, and preemptive policies ought to be discussed within a group
+of knowledgeable and motivated people to ensure their viability.
+
+We welcome involvement in the Security Working Group. Any reasonable
+stakeholder in Ceph Security is encouraged to join with the approval
+of the CSC and Security group. Any CSC member may nominate someone to
+join the working group and attend meetings. Should someone not attend
+meetings for 1+ years, or breach an embargo intentionally, they will
+be removed and notified.
+
+By joining this working group, one may contribute to Ceph Security
+processes, see all embargoed bugs, and help coordinate fixes across
+upstream Ceph. There is no expectation to create security fixes,
+however, such efforts are welcome. The expectation is to triage,
+assign, and coordinate fixes as appropriate.
+
+The responsibilities are to attend a twice-monthly meeting for the
+working group, report back to the CSC on a monthly basis and to uphold
+any embargos on reported vulnerabilities. Additionally, tasks will be
+shared among volunteers from the group, based on interest and
+availability.
+
+Initial target projects are: Writing a Security Incident Response
+Process for Ceph, Writing an Embargo Process for Ceph, coordinating
+the fixes in our backlog of security bugs, coordinating penetration
+tests and scans of Ceph, reviewing dependencies and containers within
+Ceph for upgrades, and eventual collaboration on Ceph Quantum-Resistant
+encryption implementation.