doc: SRT administrative processes

README.md

@@ -131,12 +131,7 @@ The above [TOML] "front matter" is followed by the long description in [Markdown
 
 ## Current Members
 
-- [Tristan de Cacqueray](mailto:[email protected])
-- [Gautier Di Folco](mailto:[email protected])
-- [Mihai Maruseac](mailto:[email protected])
-- [Casey Mattingly](mailto:[email protected])
-- [David Thrane Christiansen](mailto:[email protected])
-- [Fraser Tweedale](mailto:[email protected])
+Please see [Current members](./docs/membership.md).
 
 ## Processes
 

docs/README.md

@@ -0,0 +1,10 @@
+# Haskell Security Response Team documentation
+
+The files in the directory document the functional and
+administrative processes of the Haskell Security Response Team.
+
+- [SRT membership processes](./membership.md)
+- [Quarterly reports](./reports.md)
+
+Documentation for our tools, libraries and the advisory source
+format live in the `code/` directory of the main repo.

docs/call-for-volunteers-example.md

@@ -0,0 +1,64 @@
+**(PREAMBLE)**
+
+The Security Response Team (SRT) is formally calling for
+applications to join the SRT.  People from the Haskell community
+with information security experience are encouraged to apply.  This
+is an opportunity to have a large impact on the practice of Haskell
+programming going forward.  If you have an interest in helping the
+team continue its mission, please apply!
+
+## Security Response Team responsibilities
+
+The general responsibilities of the SRT are:
+
+- Manage the Haskell Security Advisory Database, on behalf of the
+  Haskell community and the Haskell Foundation.
+- Triage and assess incoming security reports or proposed/candidate
+  security advisories.
+- Assist reporters to determine CVSS scores and CWE values for
+  confirmed security issues.
+- Communicate with package maintainers and the community to promote
+  the timely resolution of reported security issues.
+- Ensure the security advisory data are useful for downstream
+  security tooling. (Development of downstream tooling is not an SRT
+  responsibility, but engaging with the developers is)
+- Report quarterly on the activities of the SRT and
+  statistics/trends in new security issues.
+
+## How can you help?
+
+- You can apply.
+- If you don’t want to apply but know someone who would be great,
+  encourage them to apply.
+- Applicants should have experience in one or more of the following
+  areas:
+  - web application security
+  - information security incident response
+  - vulnerability research and analysis
+  - penetration testing
+  - cryptography
+  - authentication and identity management
+  - governance, risk management and compliance (GRC)
+  - secure application development
+  - algorithms, data structures, and their role in DoS attacks
+  - related disciplines
+
+## Who is involved?
+
+The current membership of the SRT is:
+
+- ***(CURRENT MEMBERS)***
+
+The team is hoping to gain ***(FILL ME)*** new members via this call
+for volunteers.
+
+## How to apply
+
+Email ***(DELEGATE <EMAIL@ADDRESS>)*** with subject ***Haskell SRT
+Application***.  Include a brief overview of your background in
+security and the specific topics (e.g. from the list above) with
+which you have experience.
+
+## Deadline
+
+Please submit your applications by end of day ***(DEADLINE)***.

docs/membership.md

@@ -0,0 +1,76 @@
+# SRT members and membership processes
+
+## Current members
+
+- Fraser Tweedale (SRT project leader; 2023-05–)
+- Gautier Di Folco (2023-05–)
+- Lei Zhu (2024-10–)
+- Mihai Maruseac (2023-05–)
+- Montez Fitzpatrick (2024-10–)
+- Tristan de Cacqueray (2023-05–)
+
+## Former members
+
+We thank past members for their valuable contributions!
+
+- Casey Mattingly (2023-05–2024-06)
+
+## Member onboarding (and offboarding)
+
+There are some necessary tasks when members join or leave the SRT.
+These are:
+
+- Update the member lists in this document.
+
+- Add (or remove) the member from the
+  `security-advisories[at]haskell.org` mailing list.  Contact the
+  [Haskell Infrastructure Admins][haskell-infra] for assistance.
+
+- Add (or remove) the member from the VINCE group, if they are
+  participating in that capacity.
+
+- Update the member list at https://www.haskell.org/security/.
+  By pull request against
+  [https://github.com/haskell-infra/www.haskell.org/](haskell-infra/www.haskell.org).
+
+- Announce the membership change(s) on [Discourse].  Usually this
+  could be included in the quarterly report.
+
+[haskell-infra]: https://github.com/haskell-infra/haskell-admins
+[Discourse]: https://discourse.haskell.org/
+
+
+## Running a Call for Volunteers
+
+To fill vacancies or grow the SRT, run a *Call for Volunteers*.
+The following is a rough guide on how we do that.
+
+- For previous calls, we appointed an SRT member to receive the
+  applications (to their personal email address).
+
+- *After applications close*, they compile the applications and
+  share with the rest of the SRT for review.  We start a voting
+  thread on the mailing list, each member states their preferred
+  applicant(s) with summary reasons, and we reach a consensus.  This
+  process has worked well, so far.
+
+- See [example content](call-for-volunteers-example.md).  There are
+  some placeholders to be filled.  The content can be modified as
+  needed.
+
+- Publish the call on [Discourse] and promote it in the logical ways
+  (e.g. Haskell Foundation social media, r/haskell, etc).
+
+- The application period should be about 4 weeks.  Bump and do
+  another burst of promotion at the halfway point.
+
+- After the application deadline, the full SRT membership reviews
+  the proposals and selects the new member(s).
+
+- Notify the successful applicant(s) and seek their affirmation that
+  they are prepared to join the SRT.
+
+- Notify unsuccessful applicants before public announcement of the
+  outcome.
+
+- Commence onboarding and notify the community of the outcome.

docs/reports.md

@@ -0,0 +1,50 @@
+# SRT reporting
+
+The SRT is to report each quarter to update the community on the
+activities and plans of the SRT.
+
+## Who should write the report?
+
+The SRT project lead prepares the report (though the task could be
+delegated with sufficient notice).  It is a good idea to gather
+items for the report through the reporting period, so you don't
+forget anything significant.
+
+## Publishing reports
+
+The canonical version of each report is committed to this repo under
+`/reports/`.
+
+Each report should also be republished on [Discourse], and added to
+the list of reports at https://www.haskell.org/security/ (file a
+pull request against
+[https://github.com/haskell-infra/www.haskell.org/](haskell-infra/www.haskell.org)).
+
+Reports for the previous quarter should generally be published in
+the first few weeks following that quarter.  In some cases we have
+delayed a report to include significant new developments, e.g. the
+result of a *Call for Volunteers*.
+
+[Discourse]: https://discourse.haskell.org/
+
+## Report content
+
+Each report should contain:
+
+- A preamble explaining what the SRT is and who are its members
+  (just copy the preamble from the previous report).
+
+- Statistics about the number of contemporary and historical
+  advisories added to the advisory database during the reporting
+  period.  Also mention any new or outstanding HSEC ID reservations
+  (for embargoed issues), and any other significant updates to the
+  **content** of the advisory DB.
+
+- Discussion of any significant security incidents during the
+  reporting period that impacted Haskell infrastructure, the
+  toolchain, or the library ecosystem.
+
+- Mention of notable updates to SRT-owned tools and libraries, and
+  related developments in downstream tooling.
+
+- Any other news related to Haskell ecosystem security.