Security Working Group Charter (DRAFT)

In the summer, we organized the very first Drupal Governance Sprint. We sat down and discussed how to evolve Drupal's governance structure to support the Drupal community's continued growth. The result of that meeting was a proposal on how to evolve our governance.

In this issue, we're proposing the charter for the Security Working Group. It created with input from Michael Hess, Greg Knaddison, Mori Sugimoto, Ben Jeavons, Matt Chapman, Angie Byron and the larger security team. We've gone through several iterations of feedback and now we're ready and excited to share it with the larger group. I'd love to finalize this in the next month or so.

----8<--------------

Security Working Group Charter [Draft]

Mission

The mission of the Security Working Group (SecWG) is to ensure that Drupal core and Drupal's contributed project ecosystem provide world-class security, and to provide security best practices for site builders and module developers.

The SecWG acts as a group to review objective and subjective measures of the Security Team, maintain processes focused on resolution and communication of security issues in an efficient manner, and ensure the Security Team has the resources (both technical and membership-wise) and processes to work well.

Scope / Duties / Responsibilities

Scope

The SecWG exists to ensure that the Security Team is functioning well. As such it considers metrics of issues on security.drupal.org (s.d.o), surveys of the team, and surveys of the community. It maintains policies relating to security within the Drupal ecosystem.

Specific Duties of the SecWG

• Review and enact changes to processes to ensure they are working well for all stakeholders.
• Ensure the documentation of the Security Team processes is updated and accurate.
• Be an authoritative resource for concrete decision-making around changes or additions to security team policies.
• Periodically create surveys of the Security Team and community members. Review the results of the surveys as a SecWG and then with the security team.
• Determine which metrics are important and review metrics relating to Drupal’s security health.
• Develop guidelines and/or recommendations regarding the introduction of new tools, technologies, and processes for the benefit of security (including security.drupal.org). Where implementation of these recommendations is dependent on Drupal Association funding, Drupal.org integration, or significant investment from the infrastructure team, the SecWG will work with these groups to evaluate feasibility of any particular option or recommendation.

Specific Duties of the Security Team

While the SecWG owns the policies and processes that the Security Team uses, the definition of those policies and processes are expected to be developed within broad consensus from the Security Team members.

• The Security Team duties are defined here: https://drupal.org/security-team

Exclusions

• Neither the SecWG nor the security team responds to specific requests for advice on security issues.
• The SecWG has no responsibility over Drupal.org security.
• The SecWG cannot change or extend its own charter.

Process

The SecWG meets quarterly or more often as needed to do its work. In general, they will propose an idea and ask for objections and set a deadline for when they will take action (minimum two weeks).

Transparency and Appeals

The SecWG aims to be as transparent as possible by documenting its decisions publicly.
Individuals who do not agree with a given SecWG decision may escalate to Dries Buytaert and/or his designate(s), who will review the decision and can choose to either uphold or alter it. In the meantime, the decision of the SecWG stands.

Membership (in no particular order)

• (TODO)

SecWG members are selected from the Drupal community by Dries Buytaert and/or his designate(s). The SecWG consists of the Security Team Lead, plus 2-5 members of the Security Team, to ensure that the decisions made within the SecWG are in harmony with the people contributing to security.

Charter revisions

The charter will be revised as needed. Any proposed charter revisions must be ratified by Dries Buytaert and/or his designate(s) prior to acceptance into this charter. In the future, this charter may be revised to modify the charter revision process, subject to the aforementioned condition.