Security Emergency/Crisis Response resources (team, guide, etc)

[jenniferfernick]

In our October 18 2021 WG meeting, I raised the question of "where do open-source projects turn in the event of a security crisis or emergency?" Here, security emergency could include, for example:

• the project is under active attack by a threat actor
• belief that their systems/project/build pipelines may have been compromised
• discovery or receipt of a report of a vulnerability that they do not know how to patch
• belief that a vulnerability in a project may be currently being exploited in the wild
• high-impact vulnerability in project requires substantial coordination with affected downstream projects to mitigate damage

This is especially important when the affected project/individual does not know where to turn or who to trust for initial advice. Often, peoples' network strongly determines the support they are able to access in the event of a security crisis, which is inequitable; much of the basic information about how to deal with these scenarios is not (to our knowledge) documented

Discussion resulted in us determining that:

• this is not a solved problem / there's no place specifically for these projects to turn, currently
• we may eventually wish to coordinate such a lifeline service
• a meaningful first step could be collect some guidance about what to do in a security emergency, to provide some initial trusted guidance for projects encountering these challenges

Prior to starting a repo for documenting such a guide, we decided to discuss via GitHub issue the scope of the problem and what an effective guide etc could look like.

[NicoleSchwartz]

A similar issue came up in today's meeting about guidance on data reporting (data loss, data breach)