Add draft of security team charter.

active/security.md

@@ -0,0 +1,113 @@
+# Security Team
+
+The Security Team is the group of people who respond to security reports for the Django framework.
+
+## Scope of responsibilities
+
+The Security Team is responsible for [Django’s security policies](https://docs.djangoproject.com/en/dev/internals/security/). This includes:
+
+- Reviewing security reports
+- Evaluating and developing fixes for confirmed security issues
+- Applying and backporting those fixes
+- Communicating with reporters
+- Communicating with the public about security releases
+- Communicating with operating-system vendors and other distributors of Django
+- Maintaining the DSF's status as a CVE Numbering Authority (CNA) and casting votes (or abstaining) in CNA elections
+
+## Membership
+
+- Chair:
+- Co-Chair:
+- Report triagers: 
+- Steering Council Liaison (must be an active Steering Council member; may be the same as Chair/Co-Chair): Frank Wiles
+- Other members:
+  - Adam Johnson
+  - Jacob Walls
+  - Jake Howard
+  - Mariusz Felisiak
+  - Markus Holtermann
+  - Michael Manfre
+  - Natalia Bidart
+  - Paul McMillan
+  - Sarah Boyce
+  - Shai Berger
+  - Simon Charette
+
+Note: The DSF Board President has access to the security mailing list, but does not otherwise participate in the team’s activities. This is mentioned for the sake of transparency.
+
+Every member of the team is encouraged to participate in all aspects of the team, including reviewing security reports, developing fixes and communicating with reporters. The expectations for all team members are as follows:
+
+- Participate in the process for at least one security report a year
+
+### Role definitions
+
+There are specific roles that have a higher level of expectations:
+
+- **Chair / Co-Chair:** Responsible for coordinating the group, scheduling meetings, renewing the group’s membership, and ensuring that the group’s activities align with its scope and responsibilities. The Chair and Co-Chair roles should be re-evaluated annually by the team.
+- **Report Triagers:** Acknowledge and triage initial reports and communicate with reporters.
+
+#### Report Triager
+
+These team members are responsible for acknowledging and triaging reports initially to determine likelihood of security concern and severity. As this is a volunteer role, the Fellows will support the triagers and when necessary, handle the initial triaging.
+
+Every member can adopt and step back as a Report Triager as their schedule allows.
+
+The responsibilities of a Report Triager are as follows:
+
+- Acknowledge report received
+- Initial assessment
+- Request help from team/experts if necessary
+- Progress to resolution
+    - For valid reports, hand-off to team member to own the report
+    - For invalid reports, communicate with reporter
+
+## Future membership
+
+The team manages its own membership by invitation. If the team needs to make a call for volunteers, it will be posted on the [djangoproject.com blog](https://www.djangoproject.com/weblog/) and the [Django Forum](https://forum.djangoproject.com). 
+
+The membership will operate as follows:
+
+- There is no upper limit to the team size
+- The team/WG will vote (50%+1) to approve/deny new member.
+- The team will directly vote on new Chair/Co-Chairs
+- All Django Fellows are automatically added to the Security team
+- A Django Fellow contract termination removes the person from the Security team
+- Each year, every non-Fellow member will need to reaffirm their membership with the team
+- A member can leave for any reason
+
+Members can also be removed by:
+
+- Becoming disqualified by the Code of Conduct working group
+- A vote of the Steering Council
+- The full consensus of the rest of the Security Team
+
+### Membership requirements
+
+Members should possess some knowledge in most of the following topics:
+
+- Building Django applications
+- Contributing to Django
+- Web applications
+- Web security
+- Software security
+- Software performance
+
+## Budget
+
+No budget is required at this time. This will be reviewed at least annually.
+Any changes to the budget may be requested from the board.
+
+## Comms
+
+The team has discussions in the following places:
+
+1. Formal and sensitive discussions on the mailing list: security@djangoproject.com
+2. Informal and team discussions on the DSF Slack in the private channel `#security-team`
+3. Monthly video-conference meetings
+
+## Reporting
+
+The team has two responsibilities in regards to reporting to the Board and the Steering Council:
+
+1. Use [Django Release Announcements thread](https://forum.djangoproject.com/t/django-release-announcements/655/96) on the Forum to report security releases
+2. An annual report summarizing the team's activity, areas of concern, considerations for the future and any other relevant topics