baentsch
commented
1 month ago This to also document the verbal agreement by @hartm and @dstebila in facilitating a "dry-run" security incident handling exercise with the team designated by way of resolving this issue. One goal of this is to get input regarding responsibilities of a maintainers and contributors in this regard.
Currently only two OQS sub projects have publicly documented SECURITY.md handling procedures defined. The set of people receiving "privately" reported security vulnerabilities in those is pretty large (>10) as per https://github.com/open-quantum-safe/oqs-provider/issues/451#issuecomment-2259035295.
This issue is to codify and reduce this number to people explicitly agreeing and able to handle security incidents (e.g., a Vulnerability Management Team) and to decide whether other OQS sub projects should be subject to this procedure as well.