Open Naomi-Wash opened 2 months ago
@Naomi-Wash Can I ask what the plan of action is here? I see all (also my) opinions stated above, but nobody contributing further/leading this to resolution for months now (first in the Google doc, then here). Is there any timeline for adopting the lifecycle document? Is the intention to resolve the above differences in opinion (that are relevant to the lifecycle doc) first? Or is the idea to simply "enact" the lifecycle doc without discussion/getting agreement on its contents such as per this issue?
This obviously also pertains to the proposed change of purpose of PQCA as discussed in #44 and IMO has a profound impact on what PQCA needs to spend its money on (as per the above, e.g., security engineers/engineering, if the mission change occurs) or not (if not).
Reviewing the correspondence above, I believe it would be a good goal for the security workgroup to define a set of minimum standard security guidelines and best practices that then get referenced from this document. However, independent of that, I think we do need to add a security expectation to the Impact Stage acceptance criteria.
I propose adding the following to the Impact Stage acceptance criteria:
Good improvement, @brian-jarvis-aws . May I suggest to strengthen as follows to move beyond a pure "process focus"
Explicitly define the project's security policy, incl. threat model, vulnerability reporting process, history of vulnerabilities, history of external security audits performed, incl. their goals and results, and external security certifications, e.g., FIPS-140 (if available). This is preferably laid out in a SECURITY.md file or other prominent location in the project's code base and website (if applicable).
I'm ok with your suggested additions, I just adjusted the wording slightly. Submitted this change in PR #54.
Comment moved from Project Lifecycle Document Section 3. Stages - Definitions & Expectations - Impact Stage - Acceptance Criteria
To graduate from the Incubation or Growth Stages, or for a new project to join as an Impact Stage project, a project must meet the Growth Stage criteria plus:
Discussion