TSC subcommittee purpose:
The Vulnerability Management subcommittee is responsible executing on the vulnerability management procedures:
TSC vulnerability subcommittee participants:
- All participants will self nominate to the TSC.
- The appointment is valid for a year. There are no restrictions on the number of times a member can self-nominate.
- The agreed participants will elect a chair.
Meeting Frequency: As required.
Vulnerability notification email: firstname.lastname@example.org
Vulnerability committee email: email@example.com
Reporting Cadence: As required at the conclusion of vulnerability issues.
How to report a vulnerability
If you find a significant vulnerability, or evidence of one, please send an email to the security contacts that you have such information, and we'll tell you the next steps. For now, the security contacts are: Arul Nambi , Amy Zwarico, Oliver Spatscheck, Stephen Terrill
Please use an email system (like Gmail) that supports hop-to-hop encryption using STARTTLS when reporting vulnerabilities. Examples of such systems include Gmail, Outlook.com, and runbox.com. See STARTTLS Everywhere if you wish to learn more about efforts to encourage the use of STARTTLS. Your email client should use encryption to communicate with your email system (i.e., if you use a web-based email client then use HTTPS, and if you use email client software then configure it to use encryption). Hop-to-hop encryption isn't as strong as end-to-end encryption, but we've decided that it's strong enough for this purpose and it's much easier to get everyone to use it.
We will gladly give credit to anyone who reports a vulnerability so that we can fix it. If you want to remain anonymous or pseudonymous instead, please let us know that; we will gladly respect your wishes.