I am a Managing Security Consultant and MD at CycleSEC Information Security Consulting. We use XWiki in several customer projects for ISMS documentation according to ISO/IEC 27001. It would be great to have access to more security-related information and discussions. If you need more information, please do not hesitate to ask.
would that be possible to have a bit more information about the reason why you want access to the security related information and discussions? We generally grant the access to people we already know about, and apparently itâs the first time you post here and I havenât found you either in our bug tracker.
If you need some specific information, maybe we can share them without opening up everything.
Thank you for the quick reply. I am a bit confused about your question regarding why I am interested in security-related information and discussions. That question is new to me, especially after introducing myself as an Information Security Consultant
As I donât know what âeverythingâ is, it seems impossible for me to specify what I am particularly interested in. Probably I try to ask back: What information do you offer to your interested parties on CISO- or ISO-Level within âeverythingâ?
And clearly, I am not able to give you a (satisfying) answer to your questions in public. It would be great if you could PM me. Thanks.
If itâs about reporting security issues then you can also already do this.
If itâs about being privy to security discussions as theyâre happening internally to the XWiki project (ie for security issues that are not yet public), then indeed youâd need to be added to various places (basically whatâs listed at https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/#HAddinganewsecuritymember ). Please note that itâs quite high volume and most of these places are discussions. Apart from discussions, thereâs:
one place on GH which contains advisories that are not public yet.
the list of confidential jira issues that have not been made public yet
From all of this, what would you like to have access to?
Itâs the first time weâre getting a request for this Which is why weâre not yet sure what kind of information we need to verify/ask. Please give us a few days after you tell us what youâd like to have access to.
Taking part in security discussions would be a great start. We use XWiki in several customer projects and I have a few questions and most security questions hurt.
As an example:
At the moment I am trying to verify the ISO/IEC 27001 certification of the XWiki SAS Cloud Service Provider OVH: XWiki Cloud FAQ - XWiki
It would be of help for every security management professional to find out how to get access to the Certificate, Scope and Statement of Applicability because everyone with an ISMS according to ISO/IEC 27001 has to validate that certificate from time to time if XWiki SAS/OVH is one of their cloud suppliers.
We have to do so because of:
ISO/IEC 27001 - A.5.21 - Managing information security in the ICT supply chain
ISO/IEC 27001 - A.5.22 - Monitoring and review and change management of supplier services
ISO/IEC 27001 - A.5.23 - Information security for use of cloud services
So the channels we pointed to you are only about XWiki.org: we wonât discuss in those any XWiki SAS related topic. And the link you provided is only about the cloud support provided by XWiki SAS: you should get in contact with them directly to get answers.
But my topic isnât about that example, right? I kindly requested access to âmore security-related information and discussionsâ as you offer to âanyoneâ in your Security Policy.
As far as I understand, a Security Policy targets - amongst others - Security Professionals. In that special case Security Professionals who need information about XWiki. I am such a Security Professional. Sorry for asking.
Donât take me wrong and donât apologize for asking Thereâs no problem about asking for getting access to information about security on XWiki. I was just trying to clarify that the specific example you took, regarding XWiki Cloud provided by XWiki SAS is not a relevant example here: we wonât address question related to this in the security channels of XWiki.org that you requested access for.
That being said we will discuss internally how we grant you access to the security channels of XWiki.org.
All that remains to grant you access, is to have your formal acceptance of this question:
Do you consent that you wonât publicly disclose the non-public security information that youâll have access to, before the XWiki committers make it public, and more generally that you agree to follow the rules defined in the security policy at https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/ ?