[Security Review] kcp

[embik]

Project Name: kcp

Github URL: https://github.com/kcp-dev/kcp

CNCF project stage and issue (NA if not applicable): sandbox (cncf/sandbox#47) (we are looking for this joint security review to apply for incubation)

Security Provider: no

• Identify team
  • Project security lead
  • Lead security reviewer
  • 1 or more additional reviewer(s)
  • Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • Sign off by facilitator on reviewer conflicts
• Create slack channel (e.g. #sec-assess-projectname)
• Project lead provides draft document - see outline
• "Naive question phase" Lead Security Reviewer asks clarifying questions
• Assign issue to security reviewers
• Initial review
• Presentation & discussion
• Share draft findings with project
• Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
• CNCF TOC presentation (if requested by TOC)

[JustinCappos]

Where is your self assessment document? (You can see the repo for many examples.)

[embik]

My understanding was that we can do either a self-assessment or a joint assessment with TAG security. If that is not the case I apologize for the confusion on my part!

[JustinCappos]

The first part of a joint assessment is to do a self assessment. This book can help to guide you.

[embik]

Okay, understood. Apologies for opening the issue then. Should this be closed and re-opened once we have the self-assessment?