OpenJDK Governing Board CFV: Vulnerability Group

Doug Lea dl at cs.oswego.edu
Thu Mar 1 11:59:20 UTC 2018 

Vote: yes.

Aside: Thanks for assembling a good list of initial members.

-Doug


On 02/28/2018 11:13 AM, mark.reinhold at oracle.com wrote:
> (This is a call for votes, but only from members of the Governing Board.)
> 
> I hereby propose the creation of the Vulnerability Group, with Andrew
> Gross as the initial Lead.
> 
> This Group will be a secure, private forum in which trusted members of
> the OpenJDK Community can receive reports of vulnerabilities in OpenJDK
> code bases, review them, collaborate on fixing them, and coordinate the
> release of such fixes.
> 
> This Group will be unusual in several respects, due to the sensitive
> nature of its work: Membership will be more selective, there will be a
> strict communication policy, and members (or their employers) will need
> to sign a non-disclosure and license agreement.  These requirements do,
> strictly speaking, violate the OpenJDK Bylaws.  Per our past discussions,
> however, I trust that Governing Board members will approve the creation
> of the Group with these exceptional requirements.
> 
> The detailed proposal for the Group is here:
> 
>   http://cr.openjdk.java.net/~mr/ojvg/
> 
> The non-disclosure and license agreement (NDLA) is here:
> 
>   http://cr.openjdk.java.net/~mr/ojvg/ojvg-ndla-2018-01-30.pdf
> 
> The proposed initial Lead of the Vulnerability Group is Andrew Gross,
> who leads Oracle's internal Java Vulnerability Team.  Andrew has over 25
> years experience in computer security including discovering and fixing
> vulnerabilities, performing forensic analyses, tracking intruders, and
> assisting government and law enforcement.  He holds a Ph.D. in electrical
> engineering from the University of California at San Diego.
> 
> The suggested list of initial Group Members is:
> 
>    Martin Balao        (Red Hat)
>     Aaron Bedra
>     Tasha Carl
>      Paul Cheeseman    (IBM)
>      John Coomes       (Twitter)
>    Andrew Gross        (Oracle)
>    Andrew Haley        (Red Hat)
>   Frances Ho           (Oracle)
>      Paul Hohensee     (Amazon)
>    Andrew Hughes       (Red Hat)
>     Bernd Mathiske     (Amazon)
>     Ramki Ramakrishna  (Twitter)
>      Mark Reinhold     (Oracle)
>     Simon Ritter       (Azul)
>    Volker Simonis      (SAP)
>       Gil Tene         (Azul)
>   Dalibor Topic        (Oracle)
>    Jesper Wilhelmsson  (Oracle)
> 
> (Organizational affiliations are not normally relevant when proposing a
>  new Group; they are shown here to demonstrate that a broad cross-section
>  of downstream maintainers will be represented.)
> 
> Only current Governing Board Members [1] are eligible to vote on this
> motion.  Votes must be cast in the open by replying to this mailing list.
> 
> Votes are due in two weeks, by 23:00 UTC on Wednesday, 14 March [2].
> 
> For Simple Majority voting instructions, see [3].
> 
> - Mark
> 
> 
> [1] http://openjdk.java.net/census#gb
> [2] https://time.is/2300_14_Mar_2018_in_UTC/GMT/EST/PST?OJVG_votes_due
> [3] http://openjdk.java.net/groups/#new-group-vote
>

More information about the gb-discuss mailing list