The Project Proposal Template specifies that a project should state what its security response policy is, if any, when being submitted to the Confidential Computing Consortium.
Each CCC project should have a written security response policy, but the details may vary by project. A written policy is not a prerequisite for submitting a project to the CCC, but once accepted, projects are expected to have some documented disclosure process. A security response policy should include an inbound disclosure process, and an outbound disclosure process.
Questions to consider include:
- How should a vulnerability be disclosed to the project?
- Is anonymous disclosure permitted, and if so, how?
Questions to consider include:
- Who gets early notice of embargoed vulnerabilities?
- Is the list of who gets early notice public or private?
- How does one apply to get on the list of those who get early notice?
- What is the process for vetting and approving such parties?
- Are there any specific requirements that one must meet to get approved?