One constant in this discussion has been how we align incentives across the process. Today we only seem to align on one goal: "improving security". But at what cost? Today different parts of the ecosystem make decisions without considering the impact those decisions have on other parts. I would like to provide a forum here for folks to discuss what their incentives structures are, so we can better understand where they overlap and where the diverge.
Maybe we can start here with brainstorming with some user story style perspectives, but I would like to make a doc in the repo about this at some point. I will start with my incentives:
As a maintainer of OSS projects, I want to help my users be the most secure they can. This means responding to security issues quickly and efficiently.
As a maintainer of OSS projects, I do not want false positives clogging up my inbox and brain.
As an employee at a technology company, I want security issues surfaced so I can assess them. I want them to come with enough context that I can understand the issue and address it in my companies products.
As a member of a team dedicated to developer productivity, I want solutions which reduce the burden on the developers I support and improves their ability to assess and remediate security issues.
As a human person who donates my free time, I want to have hobbies that are not merging dependabot PRs and talking with security professionals about the applicability of a CVE on my projects.
One constant in this discussion has been how we align incentives across the process. Today we only seem to align on one goal: "improving security". But at what cost? Today different parts of the ecosystem make decisions without considering the impact those decisions have on other parts. I would like to provide a forum here for folks to discuss what their incentives structures are, so we can better understand where they overlap and where the diverge.
Maybe we can start here with brainstorming with some user story style perspectives, but I would like to make a doc in the repo about this at some point. I will start with my incentives: