Establish inbound security contact for OSDU
If a user/operator of OSDU detects a security issue that the OSDU governing body needs to know about, there should be a straightforward way to contact us.
Named individuals with appropriate levels of responsibility should be identified to participate in a security incident response team. Representing areas like public relations, legal, operations, development. (Am I really imagining I can tell oil companies how to do incident response?) Ultimately we just need the appropriate level of due diligence and named people so we can get information shared at the right time and pace.
- Equinor: The project should be able to show for short response time related to critical error and security issues.
Definition of Done
- A contact method is published on the main OSDU web site and in any
READMEor other code documentation
- The named contact method reaches at least 2 different people who can respond
- The responders have sufficient access (email, phone) to the OMC and/or PMC to alert on high priority security issues
- An incident response plan is documented (at least in some draft/wiki form) for how to handle high priority security alerts
- A triage plan is documented for normal and low severity security alerts