FreeBSD Security Officer Charter
[ Accepted by -core February 2002 ]
1. Introduction
The FreeBSD Security Officer's mission is to protect the FreeBSD user community by keeping the community informed of bugs, exploits, popular attacks, and other risks; by acting as a liaison on behalf of the FreeBSD Project with external organizations regarding sensitive, non-public security issues; and by promoting the distribution of information needed to safely run FreeBSD systems, such as system administration and programming tips.
2. Responsibilities
The responsibilities of the Security Officer include:
- Resolving disputes involving security.
- Resolving software bugs that affect the security of FreeBSD in a timely fashion.
- Issuing security advisories for FreeBSD.
- Responding to vendor inquiries regarding security issues.
- Auditing as much code as possible, but particularly security- and network- related code.
- Monitoring the appropriate channels for reports of bugs, exploits, and other circumstances that may affect the security of a FreeBSD system.
- Participating in the architecture of FreeBSD in order to influence a positive impact on system security.
- The Security Officer maintains the FreeBSD Security Officer PGP key.
3. Authorities
The FreeBSD Core Team has delegated authority to the Security Officer in matters of security, and the Security Officer is accountable to the Core Team in the use of this authority. He is expected to act with common sense and use appropriate discretion when using any of the appointed powers. Any actions that conflict with the committers' guidelines require particularly careful judgment.
Specifically, subject to the accountability constraints, the Security Officer is granted the following powers:
- Expedited commits: The Security Officer may forgo the usual committers' guidelines in areas of security.
- Veto: The Security Officer has the final say in security matters, and may request the back-out of any commits or elimination of any subsystems that he considers detrimental to the security of FreeBSD.
- Team: The Security Officer may maintain a Security Officer Team and delegate these powers and responsibilities at his discretion. Membership is selected by the Security Officer, but always includes emeritus security officers --- just when they thought they had paid their dues.
- Mailing list: The [email protected] mailing list is administrated by the Security Officer.
4. Structure
A new Security Officer is appointed by the previous Security Officer and ratified by the Core Team. The Security Officer is accountable to the Core Team.
The Security Officer Team members are selected by the Security Officer, and they are accountable to the Security Officer and to the Core Team. Security Officer Team members are expected to assist the Security Officer in fulfilling his responsibilities and otherwise participate in protecting the FreeBSD user community.