Add draft of security team charter.

active/security.md

@@ -0,0 +1,117 @@
+# Security Team
+
+The Security Team is the group of people who respond to security reports for the Django framework.
+
+## Scope of responsibilities
+
+The Security Team is responsible for [Django’s security policies](https://docs.djangoproject.com/en/dev/internals/security/). This includes:
+
+- Reviewing security reports
+- Evaluating and developing fixes for confirmed security issues
+- Applying, backporting and releasing those fixes as patches and Django releases
+- Communicating with reporters
+- Communicating with the public about security releases
+- Communicating with operating-system vendors and other distributors of Django
+- Maintaining the DSF's status as a CVE Numbering Authority (CNA) and casting votes (or abstaining) in CNA elections
+
+## Membership
+
+- Chair:
+- Co-Chair:
+- Report triagers: 
+- Steering Council Liaison (must be an active Steering Council member; may be the same as Chair/Co-Chair): Frank Wiles
+- Other members:
+  - Adam Johnson
+  - Jacob Walls
+  - Jake Howard
+  - Mariusz Felisiak
+  - Markus Holtermann
+  - Michael Manfre
+  - Natalia Bidart
+  - Paul McMillan
+  - Sarah Boyce
+  - Shai Berger
+  - Simon Charette
+
+Note: The DSF Board President has access to the security mailing list, but does not otherwise participate in the team’s activities. This is mentioned for the sake of transparency.
+
+Every member of the team is encouraged to participate in all aspects of the team, including reviewing security reports, developing fixes and communicating with reporters. The expectations for all team members are as follows:
+
+- Participate in the process for at least one security report a year
+
+### Role definitions
+
+There are specific roles that have a higher level of expectations:
+
+- **Chair / Co-Chair:** Responsible for coordinating the group, scheduling meetings, renewing the group’s membership, and ensuring that the group’s activities align with its scope and responsibilities. The Chair and Co-Chair roles should be re-evaluated annually by the team.
+- **Report Triagers:** Acknowledge and triage initial reports and communicate with reporters.
+
+#### Report Triager
+
+These team members are responsible for acknowledging and triaging reports initially to determine likelihood of security concern and severity. As this is a volunteer role, the Fellows will support the triagers and when necessary, handle the initial triaging.
+
+Every member can adopt and step back as a Report Triager as their schedule allows.
+
+The responsibilities of a Report Triager are as follows:
+
+- Acknowledge report received
+- Initial assessment
+- Request help from team/experts if necessary
+- Progress to resolution
+    - For valid reports, hand-off to team member to own the report
+    - For invalid reports, communicate with reporter
+
+## Future membership
+
+The team does not have a fixed size. The team decides when new members are needed. New members are chosen from a list of volunteers. If there are no qualified volunteers the team will place an advertisement on the Django website.
+
+Members must opt-in to remain on the team on an annual basis. They may also leave for any reason.
+
+Members can also be removed by:
+
+- Becoming disqualified by the Code of Conduct working group
+- A vote of the Steering Council
+- The full consensus of the rest of the Security Team
+
+### Membership requirements
+
+Members should possess some knowledge in most of the following topics:
+
+- Building Django applications
+- Contributing to Django
+- Web applications
+- Web security
+- Software security
+- Software performance
+
+### How to join
+
+Any person can volunteer to join the security team by submitting a Google Form (TODO: Create link). The team/WG will vote (50%+1) to approve/deny new members; the team/WG will directly vote on new Chair/Co-Chairs.
+
+The application should include the following:
+
+- Why do you want to join the team?
+- What is your history of using Django as a developer?
+- What is your history of contributing to Django?
+- What security experience do you bring that would be helpful to the team?
+
+(TODO: Define cadence of reviewing applications)
+
+## Budget
+
+No budget is required at this time. This will be reviewed at least annually.
+Any changes to the budget may be requested from the board.
+
+## Comms
+
+The team has discussions in two places:
+
+1. Formal and sensitive discussions on the mailing list: security@djangoproject.com
+2. Informal and team discussions on the DSF Slack in the private channel `#security-team`
+
+## Reporting
+
+The team has two responsibilities in regards to reporting to the Board and the Steering Council:
+
+1. Use [Django Release Announcements thread](https://forum.djangoproject.com/t/django-release-announcements/655/96) on the Forum to report security releases
+2. An annual report summarizing the team's activity, areas of concern, considerations for the future and any other relevant topics