Add draft of security team charter.

active/security.md

@@ -0,0 +1,93 @@
+# Security Team
+
+## Scope of responsibilities
+
+The security team is responsible for [Django’s security policies](https://docs.djangoproject.com/en/dev/internals/security/). This includes:
+
+- Reviewing security reports via security@djangoproject.com
+- Evaluating and patching confirmed security issues
+- Communicating with reporters
+- Communicating with the public about security releases
+- Communicating with operating-system vendors and other distributors of Django
+
+## Initial membership
+
+- Chair:
+- Co-Chair:
+- Report triagers: 
+- Steering Council Liaison (must be an active Steering Council member; may be the same as Chair/Co-Chair): Carlton Gibson
+- Other members:
+  - Adam Johnson
+  - Carlton Gibson
+  - Jacob Walls
+  - Jake Howard
+  - James Bennett
+  - Mariusz Felisiak
+  - Markus Holtermann
+  - Michael Manfre
+  - Natalia Bidart
+  - Paul McMillan
+  - Sarah Boyce
+  - Shai Berger
+  - Simon Charette
+
+Note: The DSF Board President has access to the security mailing list, but does not otherwise participate in the team’s activities. This is mentioned for the sake of transparency.
+
+### Role definitions
+
+- Chair / Co-Chair: Responsible for coordinating the group, scheduling meetings, renewing the group’s membership, and ensuring that the group’s activities align with its scope and responsibilities.
+- Report triagers: These team members are responsible for acknowleding and triaging reports initially to determine likelyhood of security concern and severity.
+
+## Future membership
+
+The team does not have a fixed size. The team decides when new members are needed. New members are chosen from a list of volunteers. If there are no qualified volunteers the team will place an advertisement on the Django website.
+
+Members must opt-in to remain on the team on an annual basis. They may also leave for any reason.
+
+Members can also be removed by:
+
+- Becoming disqualified by the Code of Conduct working group
+- A vote of the Steering Council
+- The full consensus of the rest of the Security Team
+
+### Membership requirements
+
+Members should possess some  knowledge of the following topics, but not necessarily all of them.
+
+- Building Django applications
+- Contributing to Django
+- Web applications
+- Web security
+- Software security
+
+### How to join
+
+Any person can volunteer to join the security team by submitting a Google Form (TODO: Create link). The team/WG will vote (50%+1) to approve/deny new members; the team/WG will directly vote on new Chair/Co-Chairs.
+
+The application should include the following:
+
+- Why do you want to join the team?
+- What is your history of using Django as a developer?
+- What is your history of contributing to Django?
+- What security experience do you bring that would be helpful to the team?
+
+(TODO: Define cadence of reviewing applications)
+
+## Budget
+
+No budget is required at this time. This will be reviewed at least annually.
+Any changes to the budget may be requested from the board.
+
+## Comms
+
+The team has discussions in two places:
+
+1. Formal and sensitive discussions on the mailing list: security@djangoproject.com
+2. Informal and team discussions on the DSF Slack in the private channel `#security-team`
+
+## Reporting
+
+The team has two responsibilities in regards to reporting to the Board and the Steering Council:
+
+1. Use [Django Release Announcements thread](https://forum.djangoproject.com/t/django-release-announcements/655/96) on the Forum to report security releases
+2. An annual report summarizing the team's activity, areas of concern, considerations for the future and any other relevant topics