1/31/2013 - 4:34 PM

Open Source Web Application Security Alliance

Open Source Web Application Security Alliance

###Problem: We have lots of open source applications out there, run by volunteers. Security issues have been popping up all over the place with the recent rails and rubygems.org exploits, and we'll be feeling the effects of this for years.

###Solution: We have a github org (or even just a mailing list) of vetted open source developers who have expressed interest in helping with security stuff.

In more details:

  • Github/mailing list with open source developers who have somehow been vetted by the community (no clue how to do this, maybe based off of how many people have signed their GPG key? something else?)

  • A open source application can apply to join - should have a 5:1 project:dev ratio at most.

    • If the project is accecpted, then they can put a thing at the bottom of their readme with something like "security problems shouldn't be reported in the public tracker, email these guys with this GPG key with the details of the exploit and how to fix it".
  • if there is something upstream (like the recent rails issues), then the mailing list gets notified, and all the developers on the ML go and work on updating things. Again, this would be on a volunteer basis.
  • The security-dev "assigned" to the project has push access, with the understanding that it's only for security stuff.

Thoughts? Am I insane?