From de2cbe61ee7e337131f65516bb938443db67b725 Mon Sep 17 00:00:00 2001 From: Sage McTaggart Date: Mon, 11 May 2026 10:58:57 -0400 Subject: [PATCH] docs/security: added workinggroup.rst and securitylead.rst Signed-off-by: Sage McTaggart --- doc/security/securitylead.rst | 14 ++++++++++++++ doc/security/workinggroup.rst | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 doc/security/securitylead.rst create mode 100644 doc/security/workinggroup.rst diff --git a/doc/security/securitylead.rst b/doc/security/securitylead.rst new file mode 100644 index 000000000000..1433e799033e --- /dev/null +++ b/doc/security/securitylead.rst @@ -0,0 +1,14 @@ +The CSC designates a member as Security Lead, with responsibility for +co-ordinating security posture. The Security Lead also keeps the CSC updated +about vulnerabilities within Ceph and progress toward addressing them. The lead +notably drives resolution of critical vulnerabilities. + +A responsibility of this role will be to give a monthly status report to the CSC +on vulnerabilities and novel security concerns, such as AI exploit scanners and +quantum-resistant encryption. They will also update the CSC with new and +improved security processes. The Security Lead is the point of contact for and +has responsibility for ensuring the proper intake, triage, and assignment of +security vulnerabilities, and coordinate open source unembargos of security +vulnerabilities when fixes are ready. This person will maintain the +security@ceph.io email list, checking it regularly, and ensuring stakeholder +emails are kept up to date on an occasional basis. diff --git a/doc/security/workinggroup.rst b/doc/security/workinggroup.rst new file mode 100644 index 000000000000..8dcbc656297f --- /dev/null +++ b/doc/security/workinggroup.rst @@ -0,0 +1,33 @@ +In order to fully support Ceph, the security working group +co-ordinates security improvements. This is essential as industry +focuses more on security, and Ceph has become a mature software +project. Vulnerabilities have increased in number and in complexity, +and are expected to continue to do so. A reactive process is no longer +adequate, and preemptive policies ought to be discussed within a group +of knowledgeable and motivated people to ensure their viability. + +We welcome involvement in the Security Working Group. Any reasonable +stakeholder in Ceph Security is encouraged to join with the approval +of the CSC and Security group. Any CSC member may nominate someone to +join the working group and attend meetings. Should someone not attend +meetings for 1+ years, or breach an embargo intentionally, they will +be removed and notified. + +By joining this working group, one may contribute to Ceph Security +processes, see all embargoed bugs, and help coordinate fixes across +upstream Ceph. There is no expectation to create security fixes, +however, such efforts are welcome. The expectation is to triage, +assign, and coordinate fixes as appropriate. + +The responsibilities are to attend a twice-monthly meeting for the +working group, report back to the CSC on a monthly basis and to uphold +any embargos on reported vulnerabilities. Additionally, tasks will be +shared among volunteers from the group, based on interest and +availability. + +Initial target projects are: Writing a Security Incident Response +Process for Ceph, Writing an Embargo Process for Ceph, coordinating +the fixes in our backlog of security bugs, coordinating penetration +tests and scans of Ceph, reviewing dependencies and containers within +Ceph for upgrades, and eventual collaboration on Ceph Quantum-Resistant +encryption implementation. -- 2.47.3