As a secure email approach runs into challenges with using 3GPP interacting with coperate policies in organizations, an alternative to use a ticketing system like Jira should be exploroed.

SECCCOM-2019-01-30

The following was submitted.

A Jira board where:

1. Anyone can submit a vulnerability JIRA (with or without a LF ID).
2. It supports default settings where the Vulnerability management sub-committee members are the only ones that have the right to view and access all the included Jiras
3. The vulnerability management sub-committee receives a notification that there is a new jira, but without the details
4. It is possible to extend the security settings in a per JIRA basis and a per individual basis to include access for selected individuals that are required to solve the identified vulnerability.
5. Finally, it should be possible to move the access restrictions and move the JIRA (when completed) to the appropriate project jira.

It replies need to be updated.

[2019-02-13]

Considering Launchpad as a platform for vulnerability reports; used by OpenStack today

• Launchpad requires an Ubuntu report
• Requires sending empty email
• Krzysztof will update Jira ticket with the details of the OpenStack process

Recommendation

• drop the requirements that cannot be fulfilled: (1) opening Jira for user without a LFID; (2) empty notifications (no bug content)
• Create a Jira and in work to create GPG keys for a few key people to receive critical vulnerability reports.
• Pawel will bring the Recommendation to the TSC - target 2019-02-14 TSC meeting