Browse Source

Update CVE request process for MITRE's Web form

As MITRE is no longer accepting CVE requests via E-mail, switch to
using their Web form. This also makes using a separate CNA for
embargoed CVE requests mostly irrelevant, so use basically the same
process for both private and public reports.

Change-Id: I557cd75f883b3a2cf6f33009990a414aeb105664
Jeremy Stanley 1 year ago
parent
commit
2c546e256d
1 changed files with 47 additions and 8 deletions
  1. 47
    8
      doc/source/vmt-process.rst

+ 47
- 8
doc/source/vmt-process.rst View File

@@ -140,18 +140,49 @@ The description is validated by the reporter and the PTL.
140 140
 Send CVE request
141 141
 ^^^^^^^^^^^^^^^^
142 142
 
143
-To ensure full traceability, we get a CVE assigned before the issue
144
-is communicated to a larger public. This is generally done as the
145
-patch gets nearer to final approval. The ossa bugtask status is set
146
-to *In progress* and the approved description is sent to a CNA in
147
-an encrypted+signed email in order to get a CVE assigned. If the
148
-issue is already public, the CVE request should be sent to the
149
-oss-security list instead, including links to public bugs.
143
+To ensure full traceability, we attempt to obtain a CVE assignment
144
+before the issue is communicated to a larger public. This is
145
+generally done as the patch gets nearer to final approval. The ossa
146
+bugtask status is set to *In progress* and the approved impact
147
+description is submitted through `MITRE's CVE Request form`_. The
148
+*request type* is ``Request a CVE ID``, the *e-mail address* should
149
+be that of the requester (generally the assigned VMT coordinator in
150
+the case of reports officially managed by the VMT), and for
151
+embargoed reports the coordinator's OpenPGP key should be pasted
152
+into the field provided.
153
+
154
+In the *required* section set the checkboxes indicating the product
155
+is not CNA-covered and that no prior CVE ID has been assigned,
156
+select an appropriate *vulnerability  type* (using ``Other or
157
+Unknown`` to enter a freeform type if there is nothing relevant on
158
+the drop-down), set the *vendor* to ``OpenStack``, and the *product*
159
+and *version* fields to match the ``$PROJECTS`` and
160
+``$AFFECTED_VERSIONS`` from the impact description. In the
161
+*optional* section set the radio button for *confirmed/acknowledged*
162
+to ``Yes``, choose an appropriate *attack type* in the drop-down
163
+(often this is ``Context-dependent`` for our cases), check the
164
+relevant *impact* checkboxes, attempt to fill in the *affected
165
+components* and *attack vector* fields if possible, paste in the
166
+*suggested description* from the prose of the impact description
167
+(usually omitting the first sentence as it's redundant with other
168
+fields), put the ``$CREDIT`` details in the *discoverer/credits*
169
+field, and the bug URL (along with Gerrit URLs for patches if
170
+already public) in the *references* field. If the report is still
171
+private, note that in the *additional information* field like ``This
172
+report is currently under embargo and no disclosure date has been
173
+scheduled at this time.``
174
+
175
+At the bottom of the page, fill in the *security code* and click the
176
+*submit request* button. If some fields contain invalid data they
177
+will be highlighted red; correct these, update the *security code*
178
+and *submit request* again until you get a confirmation page.
179
+
180
+.. _MITRE's CVE Request form: https://cveform.mitre.org/
150 181
 
151 182
 Get assigned CVE
152 183
 ^^^^^^^^^^^^^^^^
153 184
 
154
-The CNA returns the assigned CVE. It is added to the Launchpad bug
185
+MITRE returns the assigned CVE. It is added to the Launchpad bug
155 186
 (see "link to CVE" at the top-right), and the bug is retitled to
156 187
 "$TITLE ($CVE)".
157 188
 
@@ -189,6 +220,14 @@ on master and supported stable branches, fast-track approvals
189 220
 
190 221
 Embargo reminder can be removed at that point.
191 222
 
223
+`MITRE's CVE Request form`_ should be used again at this point, but
224
+instead select a *request type* of ``Notify CVE about a
225
+publication`` and fill in the coordinator's *e-mail address*,
226
+provide a *link to the advisory* (the URL to it on
227
+https://security.openstack.org/ if this was an official OSSA), the
228
+*CVE IDs* covered, and the *date published*. Once more, fill in the
229
+*security code* at the bottom of the page and *submit request*.
230
+
192 231
 Publish OSSA
193 232
 ^^^^^^^^^^^^
194 233
 

Loading…
Cancel
Save