\uD83D\uDDD3 Date
\uD83D\uDC65 Participants
\uD83E\uDD45 Goals
Vision-casting: Where do we want to go in the future for proactive security work?
Areas
1st-party dependency security upgrades
Maintenance Board
3rd-party security upgrades
Maga is working on creating process in BTR for Django
Code
XSS linting on edx-platform
What are the top possible improvements?
3rd-party security upgrades
Django security linters
Security checks before PR merge
How to deal with new reports that are duplicates of edX’s SWG backlog?
There’s a lot of value in keeping GHSA creation limited to actionable items to reduce noise.
It might be good to create a “common reports & responses” section in our private Confluence pages to make triage more efficient.
Third-party/middlemen for security researchers
Let’s experiment with it by responding to their email using our normal responses.
✅ Action items
- For next time: Consider https://securitytxt.org/