Difference between revisions of "Security Team"

From Bisq Wiki
Jump to navigation Jump to search
Line 30: Line 30:
 
=== Duties ===
 
=== Duties ===
  
* find attack vectors
+
* Find attack vectors
* design counter strategies
+
* Design counter strategies
* act as a think-tank, consortium and knowledge base for security-related stuff
+
* Act as a think-tank, consortium and knowledge base for security-related stuff
* firefighting
+
* Firefighting
* no feature implementation work, because that is either dev or ops.
+
* No feature implementation work, because that is the realm of either [[Dev Team]] or [[Ops Team]].
  
 
=== Mode of operation ===
 
=== Mode of operation ===
Line 41: Line 41:
  
 
=== General Roadmap ===
 
=== General Roadmap ===
 
+
* Do security audits. Use appropriate tools to find vulnerabilities. Even leave the beaten path of Java if it is the reasonable thing to do.
 +
* Up testing efforts. Technical dept is causing all sorts of issues already. More test coverage might just reveal more vulnerabilities.
 +
* Implement means for a responsible disclosure process, either fed by the efforts of the security team or fed by external sources.
 +
* Create and maintain an overview of Bisq from a security perspective
 +
* Prioritize and design countermeasures to be implemented by the [[Dev Team]]/[[Ops Team]]
  
 
[[Category:Teams]]
 
[[Category:Teams]]

Revision as of 16:46, 10 June 2020

The Security Team is responsible for keeping an eye on Bisq's needs for security - hunt bugs, design counter measures, be a point of contact for security related topics.

Roles

Infrastructure

GitHub

Team

@bisq-network/security

Repositories

Chat

Goals

What does "security" in "Security Team" mean

  • Optimize information footprint
  • Hardening of the Bisq app, services, protocols, down to code

Duties

  • Find attack vectors
  • Design counter strategies
  • Act as a think-tank, consortium and knowledge base for security-related stuff
  • Firefighting
  • No feature implementation work, because that is the realm of either Dev Team or Ops Team.

Mode of operation

Results and work of the security team might not be shared with the general public immediately. Simply because it makes no sense to publish a security vulnerability before it has been patched up. This is why the various channels of communication are invite-only.

General Roadmap

  • Do security audits. Use appropriate tools to find vulnerabilities. Even leave the beaten path of Java if it is the reasonable thing to do.
  • Up testing efforts. Technical dept is causing all sorts of issues already. More test coverage might just reveal more vulnerabilities.
  • Implement means for a responsible disclosure process, either fed by the efforts of the security team or fed by external sources.
  • Create and maintain an overview of Bisq from a security perspective
  • Prioritize and design countermeasures to be implemented by the Dev Team/Ops Team