VOTE - OSS-SIRT staffing mode

[SecurityCRob]

Please express your opinion in this ISSUE on which path you think the group develops the plan to:

1.) Fulltime staff handling all duties of the OSS-SIRT including IR, disclosure, coordination, education that would be augmented by volunteers 2.) Mostly volunteers staffed by OSSF members that is supported by handful of FTEs for administrative-type tasks that assists projects with IR areas they need assistance on 3.) Combination of some FTEs and volunteers building out processes and capabilities that predominantly coaches/consults first year of operation after which time direction is determined (fulltime staff or mostly volunteers).

We will review the votes in our 18October meeting and have any final conversations before formally documenting the group’s decision and adjusting the plan based off of that choice.

[TheFoxAtWork]

2️⃣ or 3️⃣ . If 3️⃣ then we should ensure some form of rotational training or partnership for volunteers. The skills necessary for a SIRT, especially an open source one, are in short supply. Anything we can do to increase those skills across communities, especially in open source ecosystems, will uplift the overall responsive success by those ecosystems.

[ran-dall]

I agree with everything said by @TheFoxAtWork in the previous comment.

I lean more towards 2️⃣ than 3️⃣; I would like to see how many volunteers and interested parties exist before we start considering 3️⃣ or even 1️⃣.

[menkhus]

2. I appreciated this idea "Anything we can do to increase those skills across communities, especially in open source ecosystems, will uplift the overall responsive success by those ecosystems" I believe the experience is valuable to those who contribute, and then bring that to whatever else they do.

[u269c]

Option 2 is my preference.

That being said, it's not clear what your suggestion aims to do. We should tie this to our mission and scope, as detailed in https://github.com/ossf/SIRT/blob/main/README.md.

[zmanion]

Assuming this is not yet decided, I'll vote for 1. But this really depends on what we want. If we want a dependable and sufficiently professional reponse for a major vulnerability case, then 1.

I expect that at least some degree of paid full/part-time staff will be needed.

I have no problem with models 2 and 3, depending on what we (or whomever is directing us) want.

[brianbehlendorf]

I think answers depend somewhat on the term "volunteer". As I envisioned it while we were pulling together the plan, there would be people whose paid time was being "volunteered" by their employer, in some sort of dedicated-time capacity (FTE, or 1/4 FTE, or "as needed on call, in which case it becomes top priority over $employer's needs", or some such more series commitment than companies usually make when they allow their employees to contribute to open source projects in their spare time.

I think such committed-time and trustworthy "volunteers" would also be vetted for their participation in a response process, since there will be very sensitive information shared, and the volunteer might even need to be able to keep things secret from their employer. But mostly, you need to know you can mashall the people needed when an event strikes, to the point where you need to know when people are taking a vacation or otherwise unavailable, and ensure coverage. So this kind of volunteer is essential.

There might be other roles for other more opportunistically-allocated volunteers, who aren't time-committed by their employer, but are still eager to help out. This project should consider ways to make use of this kind of volunteer as well, but I'd worry about covering a shift entirely with this kind of volunteering.

No doubt, whatever path is taken, there will be a need for paid FTEs employed by the project (by the LF if we organize it under the LF, which we don't have to do, but as an example) and paid for out of this project's budget. At the very least that is program/project management, coordination of the volunteers, ensuring proper processes are followed, first-level support routing and filtering, and facilitating a mentorship model. I 100% agreed with Emily's notion that a mentorship model and mentality is needed - not only are we responding in a crisis to underresources projects, we're helping everyone involved get better at this kind of thing and eventually carry that embedded into their other OSS efforts. That's important enough to staff to support rather than hope it happens voluntarily.

I think a final consideration is whether the project will need to directly employ some number of technical SMEs fully and directly to ensure some baseline coverage of key language ecosystems and competent security responses, as a fallback in case of volunteer failure but also to persist technical competency even as volunteers rotate in and out. My sense is that it's likely 2 or 3 of those may be needed, but that 2-3 is not enough by themselves to coordinate a response entirely (eg Option 1) without involving volunteers.

Wish I could join the call tomorrow, but can't, so thought I'd put longer thoughts here than I might have otherwise. Looking forward to supporting the decision of this SIG.

[TheFoxAtWork]

Voted 4 in favor of a volunteer model with a handful of support staff dtd: TUE OCT 18. On the anniversary of sponsors funding the effort this decision will be revisited. CC @SecurityCRob

[SecurityCRob]

on 18October2022 the group discussed and approved the vote for staffing model #2- Mostly volunteers staffed by OSSF members that is supported by handful of FTEs for administrative-type tasks that assists projects with IR areas they need assistance on.

We also agreed that annually on the anniversary date of the sponsors' final approval of the plan this model will be reviewed to ensure it still allows us to be successful in achieving our mission.