Pursuant to the Haskell Foundation Tech Proposal #37, the Haskell Foundation is establishing a Security Advisory Database for the Haskell ecosystem, and assembling the Security Response Team (SRT) who will manage it.
We are now formally calling for applications for the initial SRT. People from the Haskell community with information security experience are encouraged to apply. This is an opportunity to have a large impact on the practice of Haskell programming going forward.
Security Response Team responsibilities
The general responsibilities of the SRT are:
Manage the Haskell Security Advisory Database, on behalf of the Haskell community and the Haskell Foundation.
Triage and assess incoming security reports or proposed/candidate security advisories.
Assist reporters to determine CVSS scores and CWE values for confirmed security issues.
Communicate with package maintainers and the community to promote the timely resolution of reported security issues.
Ensure the security advisory data are useful for downstream security tooling. (Development of downstream tooling is not an SRT responsibility, but engaging with the developers is)
Report quarterly on the activities of the SRT and statistics/trends in new security issues.
The initial SRT will have some additional responsibilities:
Ensure relevant web pages (or other resources) are updated to mention the Security Advisory Database, and how to report security issues.
Populate the Database with advisories for known and historical security issues in the Haskell ecosystem.
Who should apply?
5 volunteers to form the initial SRT, who can commit to a term of either 6 months or 12 months (terms will be staggered).
If you don’t want to apply but know someone who would be great, encourage them to apply.
Volunteers should have experience in one or more of the following areas:
- web application security
- information security incident response
- vulnerability research and analysis
- penetration testing
- authentication and identity management
- governance, risk management and compliance (GRC)
- secure application development
- algorithms, data structures, and their role in DoS attacks
- related disciplines
Who is involved?
The Security Advisory Database project is run by Fraser Tweedale, a volunteer with the Haskell Foundation. David Thrane Christiansen, the executive director of the HF, is also involved.
How to apply
Fraser Tweedale <firstname.lastname@example.org> with subject Haskell SRT Application. Include a brief overview of your background in security and the specific topics (e.g. from the list above) with which you have experience.
Assuming enough applications are received, the Haskell Foundation will appoint the initial Security Response Team in early March, and communicate the outcome. The work of the SRT and the terms of its members will then formally begin.