Security response team rotation is outdated

[aliok]

Related docs:

• https://github.com/knative/community/blob/main/SECURITY.md
• https://github.com/knative/community/blob/main/working-groups/security/disclosure.md
• https://github.com/knative/community/blob/main/working-groups/security/responding.md

VMT rotation is outdated: https://github.com/knative/community/blob/main/working-groups/security/vmt.rotation (not sure where this is used)

Also, can we verify that security@knative.team is still working with recipients still active in the project?

[aliok]

Ah, and, it might be good to list publicly who receives mails sent to that email address.

[aliok]

cc @knative/technical-oversight-committee

[psschwei]

@evankanderson @davidhadas

[evankanderson]

I believe that the alias is still working.

The rotation was used with https://knative.party/, but since we only had one lead and no other volunteers, it had just been me for a while. It would be great to get a larger set of particpants (maybe TOC?)

[evankanderson]

We didn't sign up for upstream early notifications -- I think that was on julz@'s plate, and the reduction of interest and capacity meant that dropped by the wayside

[evankanderson]

Verified that security@knative.team is still working

[dprotaso]

/assign @davidhadas

[davidhadas]

Is there a requirement to have a vmt.rotation file? Is this documented anywhere? If not, I suggest to drop this page.

We do need to make sure we have the vulnerability procedure well documented and updated.
Lets do another review of disclosure.md and responding.md

[davidhadas]

Q from @dprotaso: is the TOC on the security@knative.team mailing list?

[evankanderson]

Q from @dprotaso: is the TOC on the security@knative.team mailing list?

It is not currently -- we could add them if desired.