What is a Security Maintainer
A security maintainer is a person or persons who are responsible for responding to security events in a repository at the instruction of the VA Cybersecurity Operations Center (CSOC). This may be remediating a vulnerability or rotating leaked credentials.
How to assign a Security Maintainer
To assign a security maintainer, you will need to first choose an existing GitHub Team or create a new one to assign the security maintainer role to. Once you have a team, you can assign the security maintainer role to the team by navigating to the Settings -> Collaborators and teams
page in your repository. From there, you can add the team and assign the Security - Maintainer
role to the team.
How to Add or Remove a Security Maintainer
To add or remove a security maintainer, simply add or remove them from the existing team you have assigned the Security - Maintainer
role to.
How Will the Security Maintainer Team be Used
In the event of a security event in your repository, the VA CSOC team will reach out to the members of the team assigned the Security - Maintainer
role to coordinate remediation of the event. The VA CSOC team will not reach out via GitHub issues or pull requests, but will instead reach out via official @va.gov
email addresses and communication will only come from an official @va.gov
email address.
If you need additional help, or clarification, please open a support ticket with the GitHub Expert Services team by opening an issue in the GitHub User Requests repository.