1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//FreeBSD//DTD XHTML 1.0 Transitional-Based Extension//EN"
"http://www.FreeBSD.org/XML/doc/share/sgml/xhtml10-freebsd.dtd" [
<!ENTITY title "FreeBSD Security Officer Charter">
]>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>&title;</title>
<cvs:keyword xmlns:cvs="http://www.FreeBSD.org/XML/CVS">$FreeBSD$</cvs:keyword>
</head>
<body class="navinclude.support">
<p>[ Accepted by -core February 2002 ]</p>
<h3>1. Introduction</h3>
<p>The FreeBSD Security Officer's mission is to protect the
FreeBSD user community by keeping the community informed of
bugs, exploits, popular attacks, and other risks; by acting as
a liaison on behalf of the FreeBSD Project with external
organizations regarding sensitive, non-public security issues;
and by promoting the distribution of information needed to
safely run FreeBSD systems, such as system administration and
programming tips.</p>
<h3>2. Responsibilities</h3>
<p>The responsibilities of the Security Officer include:</p>
<ul>
<li>Resolving disputes involving security.</li>
<li>Resolving software bugs that affect the security of FreeBSD
in a timely fashion.</li>
<li>Issuing security advisories for FreeBSD.</li>
<li>Responding to vendor inquiries regarding security issues.</li>
<li>Auditing as much code as possible, but particularly security-
and network- related code.</li>
<li>Monitoring the appropriate channels for reports of bugs,
exploits, and other circumstances that may affect the security
of a FreeBSD system.</li>
<li>Participating in the architecture of FreeBSD in order to
influence a positive impact on system security.</li>
<li>The Security Officer maintains the FreeBSD Security Officer PGP
key.</li>
</ul>
<h3>3. Authorities</h3>
<p>The FreeBSD Core Team has delegated authority to the Security
Officer in matters of security, and the Security Officer is
accountable to the Core Team in the use of this authority. He
is expected to act with common sense and use appropriate discretion
when using any of the appointed powers. Any actions that conflict
with the committers' guidelines require particularly careful
judgment.</p>
<p>Specifically, subject to the accountability constraints, the
Security Officer is granted the following powers:</p>
<ul>
<li>Expedited commits: The Security Officer may forgo the usual
committers' guidelines in areas of security.</li>
<li>Veto: The Security Officer has the final say in security
matters, and may request the back-out of any commits or
elimination of any subsystems that he considers detrimental
to the security of FreeBSD.</li>
<li>Team: The Security Officer may maintain a Security Officer Team
and delegate these powers and responsibilities at his discretion.
Membership is selected by the Security Officer, but always
includes emeritus security officers --- just when they thought
they had paid their dues.</li>
<li>Mailing list: The <a href="mailto:security-officer@FreeBSD.org">
security-officer@FreeBSD.org</a> mailing list is administrated by
the Security Officer.</li>
</ul>
<h3>4. Structure</h3>
<p>A new Security Officer is appointed by the previous Security
Officer and ratified by the Core Team. The Security Officer
is accountable to the Core Team.</p>
<p>The Security Officer Team members are selected by the Security
Officer, and they are accountable to the Security Officer and to the
Core Team. Security Officer Team members are expected to assist the
Security Officer in fulfilling his responsibilities and otherwise
participate in protecting the FreeBSD user community.</p>
</body>
</html>
|