doc/en_US.ISO8859-1/htdocs/security/charter.xml

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//FreeBSD//DTD XHTML 1.0 Transitional-Based Extension//EN"
"http://www.FreeBSD.org/XML/share/xml/xhtml10-freebsd.dtd" [
<!ENTITY title "FreeBSD Security Officer Charter">
]>

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
      <title>&title;</title>

      <cvs:keyword xmlns:cvs="http://www.FreeBSD.org/XML/CVS">$FreeBSD$</cvs:keyword>
    </head>

    <body class="navinclude.support">

  <p>[&nbsp;Accepted by -core February 2002&nbsp;]</p>

  <h3>1. Introduction</h3>

    <p>The FreeBSD Security Officer's mission is to protect the
      FreeBSD user community by keeping the community informed of
      bugs, exploits, popular attacks, and other risks; by acting as
      a liaison on behalf of the FreeBSD Project with external
      organizations regarding sensitive, non-public security issues;
      and by promoting the distribution of information needed to
      safely run FreeBSD systems, such as system administration and
      programming tips.</p>

  <h3>2. Responsibilities</h3>

  <p>The responsibilities of the Security Officer include:</p>

  <ul>
    <li>Resolving disputes involving security.</li>

    <li>Resolving software bugs that affect the security of FreeBSD
      in a timely fashion.</li>

    <li>Issuing security advisories for FreeBSD.</li>

    <li>Responding to vendor inquiries regarding security issues.</li>

    <li>Auditing as much code as possible, but particularly security-
      and network- related code.</li>

    <li>Monitoring the appropriate channels for reports of bugs,
      exploits, and other circumstances that may affect the security
      of a FreeBSD system.</li>

    <li>Participating in the architecture of FreeBSD in order to
      influence a positive impact on system security.</li>

    <li>The Security Officer maintains the FreeBSD Security Officer PGP
      key.</li>
  </ul>

  <h3>3. Authorities</h3>

  <p>The FreeBSD Core Team has delegated authority to the Security
    Officer in matters of security, and the Security Officer is
    accountable to the Core Team in the use of this authority.  He
    is expected to act with common sense and use appropriate discretion
    when using any of the appointed powers.  Any actions that conflict
    with the committers' guidelines require particularly careful
    judgment.</p>

  <p>Specifically, subject to the accountability constraints, the
    Security Officer is granted the following powers:</p>

  <ul>
    <li>Expedited commits: The Security Officer may forgo the usual
      committers' guidelines in areas of security.</li>

    <li>Veto: The Security Officer has the final say in security
      matters, and may request the back-out of any commits or
      elimination of any subsystems that they consider detrimental
      to the security of FreeBSD.</li>

    <li>Team: The Security Officer may maintain a Security Officer Team
      and delegate these powers and responsibilities at their discretion.
      Membership is selected by the Security Officer, but always
      includes emeritus security officers --- just when they thought
      they had paid their dues.</li>

    <li>Mailing list: The <a href="mailto:security-officer@FreeBSD.org">
      security-officer@FreeBSD.org</a> mailing list is administrated by
      the Security Officer.</li>
  </ul>

  <h3>4. Structure</h3>

  <p>A new Security Officer is appointed by the previous Security
    Officer and ratified by the Core Team.  The Security Officer
    is accountable to the Core Team.</p>

  <p>The Security Officer Team members are selected by the Security
    Officer, and they are accountable to the Security Officer and to the
    Core Team.  Security Officer Team members are expected to assist the
    Security Officer in fulfilling their responsibilities and otherwise
    participate in protecting the FreeBSD user community.</p>

  </body>
</html>