Create on-call runbook/playbook

[pshiu]

We need a runbook so it's clear to working group members how to respond to security disclosures.

Some open questions from: https://openedx.atlassian.net/wiki/spaces/COMM/pages/3624140816/Security+Working+Group+Private:

• How will we keep track of who is on-call?
• Is there a need for the community to know who is on-call?
• What are the expectations for on-call? Will there really be CAT-1s?
• How will we know who is the maintainer of what repository?

[pshiu]

Started to address "What are the expectations for on-call?" in new section On-Call Duties section on our "For working group members" Confluence page.

[pshiu]

Added runbook on finding a maintainer in our Security Playbooks.

[pshiu]

Started draft sections:

• Respond to a security disclosure
• Give security advice
• Process suggestions for security improvements

Added to Triage security@openedx.org emails.

[pshiu]

Added section Forward a report to an operator or Axim.

[pshiu]

Next steps:

• [x] @pshiu & @alangsto meet to compare current 2U practices
• [x] Meet with @feanil to brainstorm future improvements
• [x] Draft runbooks for review

[pshiu]

@alangsto & I met and compiled the current 2U practices. We now need to compare them.

[pshiu]

@alangsto & I met and added details to Security Playbooks – for Security WG members.

[pshiu]

@feanil & I met and we worked on Common Issues.