Webcopmat GitHub org [1] should NOT be included in the GHE push from Mozilla.

[1] https://github.com/webcompat/

The webcompat project is vendor-neutral and moving it under the Mozilla org is not an option for us. The org has participation from external people (including other browser developers) and enforcing Mozilla SSO wouldn't work.

However, we appreciate help in case of security concerns we might have in the future.

Thank you,
Honza

So, this is a similar reasoning (but different in implementation) request to the one for MDN to be excluded from the GHE push (bug 1780830). Mainly in that afaik, no one on the current IT GitHub administration team (myself, Andrew Erickson, Hal Wine) has access to that org, let alone owner rights.

So, before we get into agreements on what responsibilities there are and who has them, I think maybe having a list of current owners for contact purposes might be in order. I'm assuming you're one, :Honza, but I'm hoping there's more than one.

Also setting an NI for Hal, being Secops he might have other first questions.

Owners:

• Dennis Schubert
• Joe Walker
• Karl Dubost
• Jan Odvarko
• James Graham
• Ksenia Berezina
• Guillaume Démésy
• Mike Taylor

(61 members, 14 outside collaborators)

Here's the list of things we need you to agree to for your org. Noting that you probably already are doing most of these. Secops and GHE admins just want recorded that you agree to the minimums of what is needed.

Onboarding/Offboarding users
Managing App and Action permissions
Temporary suspension of GitHub access for logins of members who have had their laptop/PC compromised (24/7/365 support if your content is critical)
Following these standards, and guidelines or request exceptions that are documented.
Agree to ongoing monitoring by security to protect Mozilla’s Intellectual Property appropriately.
When Incident Response folk come knocking, working with them to handle any security incidents (24/7/365 support)
Setting the support email for the org to point to the group/lists that manage this organization.

Let us know if there are concerns or questions, so we can hash out and record things.

Update: we (Risk Management) are still formalizing the process on this, and will work on finalizing this request when process is defined.