Clarify security team teams, roles and responsibilities #356
Description
There are multiple locations where security teams are managed:
- https://github.com/cilium/community/blob/main/roles/Security-Team.md (@cilium/security ?)
- https://github.com/cilium/community/blob/main/ladder/teams/security.yaml
- https://cilium.slack.com
#security-teamchannel [email protected]mailinglist group
- @cilium/security-org
The differences between these groups may not be entirely obvious, but we should look into the organization and repository settings and the team memberships, and clarify the scope for each group as well as who has access to those options.
The related one I think is pretty clear is @cilium/github-sec. This has a smaller, different scope specifically related to ensuring that GitHub workflows are written following security best practices. It's documented in the project-wide reviewers (should probably be called org-wide).
We may want to consider as well how subprojects get access to security reports.