From Fedora Project Wiki
This is the initial policy that was approved by the steering committee on 2006-05-04.
The planed Security Response Team has these goals for now:
- Monitor various security information sources for potential security problems (old and new ones)
- When an issue is discovered: file appropriate bugs, alerting the maintainer of the need to patch their package.
- Maintain list of fixed and unfixed security issues in a public CVS repository (similar how it is done for core)
- Create and post announcements for fixed packages to proper mailinglists
- Encourage and foster public discussion of various security issues and procedures via the fedora-security mailing list.
Those are the most important things for now. There are some things that probably should be implemented and discussed after the Security Response Team is in place:
- Handling embargoed issues / Bugs marked as private
- A method of high-priority submission to the build system
- The Extras project as a whole needs a way for a maintainer to designate that they have dropped maintenance of a particular branch. We need this to know if we need to wait for a maintainer.
Besides this most important task there is one more: Normally the maintainers are 100% responsible for the security updates for their own packages -- but
- if the maintainer doesn't respond in x days after a bug was filed ("x" still needs to be defined -- the wiki has a good scheme that might be the right one)
- if the maintainer is on holiday (we have a list in the wiki)
- if the package/the specific package branch is orphaned or
- if the maintainer needs help
The Security Response Team will lend assistance as needed.
(Note: There was a small discussion that the latter part of this proposal should be handled by a own SIG/Team/Task Force -- this idea was dropped for now, but can be put back on the table later if it should be needed)