forgejo/governance
40
34
Fork
You've already forked governance
35

[AGREEMENT] Gusted application to the security team #96

Closed
opened 2024年02月20日 10:23:33 +01:00 by Gusted · 1 comment

Application

I propose to become part of the security team.

  1. If you agree, please simply add a 👍 to this issue.
  2. If you disagree or have reservations, please write them in a comment below and I will do my best to address them.

This application follows the Forgejo decision making process (accepted after 2 weeks, unless concerns are raised).

Pledge

I pledge to act in accordance with the code of conduct, and all other rules and processes agreed via the Forgejo decision making process.

If there is an agreement for me to be a member of the team, I will consider applying again a year later.

I pledge to read and respond in a timely manner to mails sent to security@forgejo.org.

I pledge to follow the principles of Coordinated vulnerability disclosure.

Background

I am currently a member of the security team as per the agreement from last year.

I am definitely not a security professional and I have no formal training or education in computer science, security or cryptography. But I am a Go developer with 3 years of experience and 2.5 years of experience with the Forgejo codebase and have been a member of the Forgejo (before that Gitea) security team for the past 1.5 years.

On top of what the previous agreement listed, in the last year I've continued to work on creating patches for security vulnerabilities, analyzed incoming security reports and security vulnerabilities in dependencies that Forgejo uses and I've continued to do security research against the codebase to find security vulnerabilities, with success.

The following is a meaningless list of the public work I've done in the past year as part of the security team:

### Application I propose to become part of [the security team](https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#security). 1. If you agree, please simply add a 👍 to this issue. 2. If you disagree or have reservations, please write them in a comment below and I will do my best to address them. This application follows the Forgejo [decision making process](https://codeberg.org/forgejo-contrib/governance/src/branch/main/DECISION-MAKING.md) (accepted after 2 weeks, unless concerns are raised). ### Pledge I pledge to act in accordance with the [code of conduct](https://codeberg.org/forgejo/code-of-conduct/), and all other rules and processes agreed via the Forgejo [decision making process](https://codeberg.org/forgejo-contrib/governance/src/branch/main/DECISION-MAKING.md). If there is an agreement for me to be a member of the team, I will consider applying again a year later. I pledge to read and respond in a timely manner to mails sent to `security@forgejo.org`. I pledge to follow the principles of [Coordinated vulnerability disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure). ### Background I am currently a member of the security team as per [the agreement from last year](https://codeberg.org/forgejo/meta/issues/142). I am definitely not a security professional and I have no formal training or education in computer science, security or cryptography. But I am a Go developer with 3 years of experience and 2.5 years of experience with the Forgejo codebase and have been a member of the Forgejo (before that Gitea) security team for the past 1.5 years. On top of what [the previous agreement](https://codeberg.org/forgejo/meta/issues/142#user-content-background) listed, in the last year I've continued to work on creating patches for security vulnerabilities, analyzed incoming security reports and security vulnerabilities in dependencies that Forgejo uses and I've continued to do security research against the codebase to find security vulnerabilities, with success. The following is a meaningless list of the **public** work I've done in the past year as part of the security team: - https://forgejo.org/2023-02-17-release-v1-18-3-2/#security-issues-in-git & https://forgejo.org/2023-01-18-release-v1-18-1-0/#critical-security-issues-in-git: Analyzed if the Git vulnerabilities could be exploited in Forgejo. - https://forgejo.org/2023-02-23-release-v1185-0: Analyzed and worked on creating the patch for the 'weak' password hashes. - https://forgejo.org/2023-10-release-v1-20-5-0/#long-term-authentication-token: Found, analyzed, researched and worked on created a patch to rework the long term authentication token from scratch to be secure. - https://forgejo.org/2023-11-release-v1-20-5-1/: Found and analyzed the vulnerable endpoints to manually crafting identifiers.
Contributor
Copy link

I think you can propose a PR to update the TEAMS file with your renewed commitment and close this issue.

I think you can propose a PR to update the TEAMS file with your renewed commitment and close this issue.
Sign in to join this conversation.
No Branch/Tag specified
main
No results found.
Labels
Clear labels
[Decision] Building proposal(s)
We're in a decision-making process, buiding one or more proposals to address the shared aim based on the criteria
[Decision] Collecting stakeholders
We're in a decision-making process, figuring out the relevant stakeholders and bringing them into the process
[Decision] Documenting and implementing
We finished a decision-making process, now documenting and/or implementing the decision
[Decision] Gathering advice
We're in a decision-making process, waiting for people to add their feedback
[Decision] Gathering criteria
We're in a decision-making process, gathering criteria, considerations and needs
[Decision] Integrating concerns
We're in a decision-making process, working with a proposal, trying to integrate concerns and create modifications/support such that the proposal works for everyone
[Decision] Phrasing shared motive
We're in a decision-making process, phrasing the shared question/problem/issue we want to tackle
Membership
Process of appointing a person as a team member.
Moderation
Moderation actions in Forgejo spaces
Money
Accounting, day to day management of money
Scheduled chores
Tasks that need to be done at a scheduled date in the future (paying the bills, renewing certificates, etc.)
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Reference
forgejo/governance#96
Reference in a new issue
forgejo/governance
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?