Hi all,  thank you for asking our opinion and sorry for the delay as this was one of the messages that was lost and we are enacting procedure to ensure other messages are also not lost. 

DG reviewed this proposal and agrees that security should be a Review Group similar to ARG, which is invitation-only, passive instead of active. 

We feel that Security, like Safety, is a cross-cutting property like ABI, and Performance.

In fact, it would be beneficial to extend the scope of the proposed review group to both Security and Safety from the start. Our reasons include:
  - the topics are somewhat similar, have dependencies and intersect significantly,
  - we expect there will be a desire to extend that scope early on and we might as well avoid another round of administrative discussions, and
  - we think it would be harmful to end up with two separate groups for that purpose
We would urge whoever is interested to start with a submission of charter and goal (that DG and others can review), as well as a recommendation of initial members and potential chairs.

We are now looking at a Dec 9th SG14 meeting to discuss the substance of such a direction according to the minutes of the November WG21 Admin call as well as forming a charter, goal, and possible initial review membership and potential chairs.  This is only because one of the proposals came from an SG14 member. 

If interested please subscribe to SG14 forum for the updated zoom times and connection(also enclosed below), although we will also broadcast this to a wider group which includes SG12, WG23, Critical reliability google group. 
As SG14 is an open outreach group, that means anyone can join even those who are not registered ISO experts by registering at the SG14 forum:

Herb, JF, and Bryce please feel free to forward to your constituents or anyone else.

Hi,

Michael Wong is inviting you to a scheduled Zoom meeting.

Topic: SC14 monthly Dec 2020-Feb 2021
Time: Dec 9, 2020 02:00 PM Eastern Time (US and Canada)
    Every month on the Second Wed, until Feb 10, 2021, 3 occurrence(s)
    Dec 9, 2020 02:00 PM
    Jan 13, 2021 02:00 PM
    Feb 10, 2021 02:00 PM
    Please download and import the following iCalendar (.ics) files to your calendar system.
    Monthly: https://iso.zoom.us/meeting/tJcscuigqD8pHNESxi1bJ9ClURVqr_ZAvmv1/ics?icsToken=98tyKuCrrz4rEtKRsx-CRowqBY_4d_zwpilego14rwfsUiJ5OyD6A9B0I6BAKvnG

Join from PC, Mac, Linux, iOS or Android: https://iso.zoom.us/j/93151864365?pwd=aDhOcDNWd2NWdTJuT1loeXpKbTcydz09
    Password: 789626

Or iPhone one-tap :
    US: +12532158782,,93151864365#  or +13017158592,,93151864365#
Or Telephone:
    Dial(for higher quality, dial a number based on your current location):
        US: +1 253 215 8782  or +1 301 715 8592  or +1 312 626 6799  or +1 346 248 7799  or +1 408 638 0968  or +1 646 876 9923  or +1 669 900 6833  or 877 853 5247 (Toll Free)
    Meeting ID: 931 5186 4365
    Password: 789626
    International numbers available: https://iso.zoom.us/u/agpDuueQY

Or Skype for Business (Lync):
    https://iso.zoom.us/skype/93151864365


Note that SG14 is only facilitating the initial call and to enable outside experts. Further decisions on the formation of the entity will come from the Convener.
Thank you.

On Tue, Oct 27, 2020 at 9:20 PM Michael Wong <fraggamuffin@gmail.com> wrote:
Received.  I will schedule this in the next call and check why this was never received. Thanks.

On Tue, Oct 27, 2020 at 12:31 PM Bryce Adelstein Lelbach aka wash <brycelelbach@gmail.com> wrote:
Hi all,

Michael Wong asked me to ping about this.

On Fri, Nov 8, 2019 at 5:49 AM Herb Sutter <herb.sutter@gmail.com> wrote:
>
> Thanks Bryce,
>
>
>
> DG, after you've had a chance to discuss this in your telecons, please let me know if you have an opinion on this. While DG doesn't generally recommend organizational things like creating subgroups, DG does recommend direction (including that P0939 already mentions security as a recommended priority) and did recommend what became the new ARG.
>
>
>
> In particular: Would DG prefer an ARG-like review board which is more passive, or an actual domain-specific SG(22) for Safety/Security that would actively review/guide/incubate proposals where safety/security are a major motivation, or major aspect, of the proposal (as SG1 does for concurrency, SG2 for modules, etc.)?
>
>
>
> I also plan to consult the officers/chairs between meetings, and in particular if we wanted to pursue an actual SG that decision would fall to the EWG+LEWG chairs and myself (per SD-3). But either way we'd appreciate input from DG and from the other chairs.
>
>
>
> Thanks,
>
>
>
> Herb
>
>
>
>
>
> > -----Original Message-----
>
> > From: Bryce Adelstein Lelbach aka wash <brycelelbach@gmail.com>
>
> > Sent: Friday, November 8, 2019 1:18 PM
>
> > To: direction@lists.isocpp.org; Herb Sutter <herb.sutter@gmail.com>; JF
>
> > Bastien <cxx@jfbastien.com>
>
> > Subject: Proposal for a Security Review Group
>
> >
>
> > We've had a lot of proposals this week that have security implications and
>
> > would benefit from security review from experts, such as:
>
> >
>
> > - P1031/P1883: Low-Level I/O
>
> > - P1750: Process Management
>
> > - Networking
>
> >
>
> > Currently, we have no group to provide this sort of review.
>
> >
>
> > This sort of review group could have saved us a lot of trouble with
>
> > std::filesystem, which has large security holes in it.
>
> >
>
> > More notably, some of these proposals /explicitly/ prioritize security. During
>
> > LEWGI's review of P1883 (Low-Level I/O), we took a poll on design goals, which
>
> > had no objection to unanimous consent with
>
> > 21 people present. The first design goal:
>
> >
>
> > 0. Priorities (for defaults): security > performance > ease of use.
>
> >
>
> > If we have proposals which are designing to be secure by default, we must have
>
> > a group of experts that can review those proposals from a security perspective.
>
> >
>
> > I'd like to suggest the creation of a (likely invite-only) Security Review Group,
>
> > similar to the ABI Review Group, for this purpose.
>
> >
>
> > --
>
> > Bryce Adelstein Lelbach aka wash
>
> > CUDA Core C++ Libraries Lead @ NVIDIA
>
> > ISO C++ Library Evolution Incubator Chair ISO C++ Tooling Chair CppCon and
>
> > C++Now Program Chair CUDA Convert and Reformed AVX Junkie
>
> >
>
> > Sleep is for the weak
>
> > --



--
Bryce Adelstein Lelbach aka wash (he/him/his)
US Programming Language Standards (PL22) Chair
ISO C++ Library Evolution Chair
CppCon and C++Now Program Chair
C++ Core Compute Libraries (Thrust, CUB, libcu++) Lead @ NVIDIA
--