SIG Security is a special interest group for O3DE security. It serves as an advisory group for security related issues including compliance, security issue resolution, and security patching. The SIG is responsible for maintaining vulnerability reporting and response mechanisms for O3DE. In addition the SIG assists with other tasks that fall under the Application Security (AppSec) umbrella of concern.
- To be set after rest of the charter is reviewed.
- Gather information about security flaws.
- Identify potential security risks/gaps in Software.
- Define best practices for ensuring secure code.
- Triage and Acceptance of incoming security issues.
- Creation and maintenance of mechanisms for the secure intake of vulnerability issues, including any security reporting email lists for O3DE.
- Management of GitHub security advisories for the O3DE repros.
- Management of any security disclosure mechanisms including email lists.
- Assists in the selection or development of tooling and automation for security issue identification.
- Runs security campaigns to resolve identified security issues, including deprecation of software components.
- Provide SPDX (Software Package Data Exchange) scanning tools to detect violations.
- Disseminating information to other sigs for action / update/ fixing
- Review and provide feedback on SIG presented features and implementation
- Provide SPDX Licensing report violations to corresponding SIGs
- Advise SIGs on secure use of new libraries
- Provide web and docs team with links to campaign information stored in SIG's repository
- Provide consultation for compliance automation scanning at periodic intervals and point release intervals for each potential issue and report violations to appropriate SIGs.
- Advise Technical steering committee and Governing board of potential threats and unresolved issues.
- Items that span or require other SIGs or groups and how it relates to this SIG’s responsibilities
- Not responsible for fixing any detected or reported security issues.
- Not responsible for enforcing or acting upon any legal compliance issues.
- Not responsible for implementing security or IP detection tools into automation or build chains, but may advise SIGs on where to implement.
- Items that are optional or are not the responsibility of this SIG.
- Joining this SIG - https://github.com/orgs/o3de/teams/sig-security
- Slack/Discord - https://discord.com/channels/805939474655346758/816043899477950475
- Mailing list - https://lists.o3de.org/g/sig-security
- Issues/PRs - https://github.com/o3de/sig-security/issues/
- Meeting agenda & Notes - #1
SIG Security adheres to the standards for roles and organization management as specified by . This SIG opts in to updates and modifications to
Should provide steps to reproduce, links and examples for security flaws, discoveries, or potential issues. Should raise potential security issues through the appropriate mechanisms
Additional information not found in the sig-governance related to contributors.
- Run issue triage when SIG-Chair(s) are unavailable. Must validate and verify that submitted issue or flaw exists and should be accepted by SIG.
- Help the SIG stay on top of any security concerns:
- Engage with the SIR team process
- (Optionally) Monitor GitHub issues for any security impacting issues and raise with SIG.
- (Optionally) Monitor DIscord for any security impacting issues and raise with SIG.
Additional information not found in the sig-governance related to contributors
Additional information not found in the sig-governance related to SIG Chairs
Additional information not found in the sig-governance related to subproject creation
Explicit Deviations from the sig-governance