The purpose of this document is to introduce you to, and better define, the Next Generation of High-Performance Computing (HPCng) community, including its community and development goals. This document is a work in progress and feedback, comments, and suggestions are encouraged.
Security, or detecting and fixing vulnerabilities in any hosted components, is a responsibility of the HPCng community. It is a big challenge to the open source community to determine how best to address and resolve security issues. Given the structure of the HPCng project, the community will provide guidelines for each individual project to follow. It will be the responsibility of each HPCng project to publish their own detailed Security Policy, staff people to fill all key roles, and provide a periodic report back to the HPCng management team. The following are the guidelines that each HPCng project should follow:
- Security reports are to be made to the HPCng project security team mailing list
- Security diligence will be done and severity of the issue will be ascertained
- If the issue is not deemed to have security implications, this process stops and embargo is lifted
- The HPCng project security team (and the reporter) will work together to find a reasonable solution and/or mitigation
- Project security stakeholders will all be under embargo to keep security context and information confidential until a full public release and disclosure is made (note: a security team vendor could in fact make a fix before one is agreed upon and release that without a security disclosure to their commercial user base)
- The release of the fix and lift of embargo will occur after sufficient testing and agreement by the security team stakeholders (note: releases for zero-day exploits will be expedited)
- CVEs will be obtained for security releases
Each project must provide a security contact point that allows reporting of issues.
Each project must provide status and schedule updates that indicate releases that resolve or work-around a given vulnerability.
If you wish to be on one of the HPCng project security teams, or have a security issue to discuss for a project, please contact the security team of that project by emailing <project->[email protected], for example, [email protected].