Browse Source

Update process documentation for current practices

Realign document sections with flowchart labels, add more
clarification between public and private report differences at some
stages, wrap E-mail templates at 68 columns for ML-friendliness,
specify that embargo notices are sent separately to the
linux-distros list to avoid crossposting, and include a bug
reference in the pre-OSSA template with instructions on requesting
private bug subscription.

Change-Id: I6503fe19b0c83d439763073c2b858ad731bce889
Jeremy Stanley 2 years ago
parent
commit
aaf503aec8
1 changed files with 117 additions and 64 deletions
  1. 117
    64
      doc/source/vmt-process.rst

+ 117
- 64
doc/source/vmt-process.rst View File

@@ -1,4 +1,4 @@
1
-.. :Copyright: 2015, OpenStack Vulnerability Management Team
1
+.. :Copyright: 2017, OpenStack Vulnerability Management Team
2 2
 .. :License: This work is licensed under a Creative Commons
3 3
              Attribution 3.0 Unported License.
4 4
              http://creativecommons.org/licenses/by/3.0/legalcode
@@ -25,9 +25,10 @@ Supported versions
25 25
 ------------------
26 26
 
27 27
 The Vulnerability Management team coordinates patches fixing
28
-vulnerabilities in one or two previous releases of OpenStack, in
29
-addition to the master branch (next version under development), for
30
-all `security supported projects`_.
28
+vulnerabilities in supported stable branches (corresponding to
29
+previous major releases) of OpenStack, in addition to the master
30
+branch (next version under development), for all `security supported
31
+projects`_.
31 32
 
32 33
 .. _security supported projects: http://governance.openstack.org/reference/tags/vulnerability_managed.html
33 34
 
@@ -48,41 +49,76 @@ Reception
48 49
 
49 50
 A report can be received either as a private encrypted email to one
50 51
 of the VMT members, or as a Launchpad security bug (check the box
51
-marked "this is a security issue"). Reports received in private
52
-should have their bug description prefaced by an embargo reminder
53
-which can be removed once the bug is switched to a public state.
54
-
55
-The first steps are to confirm the validity of the report, create a
56
-Launchpad bug if necessary, add an ossa bugtask and subscribe the
57
-project's core security review team or `Vulnerability Management
58
-Liaison`_ for confirmation of impact and determination of
59
-affected branches. Reports starting with an "Incomplete" ossa
60
-bugtask should have a corresponding incomplete reception message
61
-added in a comment. Once we confirm that we will issue an OSSA for
62
-it, switch the ossa bugtask status to *Confirmed*. If the need for
63
-an OSSA is challenged, the ossa bugtask status should be set to
64
-*Incomplete* until that question is resolved.
52
+marked "this is a security issue").
53
+
54
+The first steps performed by the VMT are to confirm the validity of
55
+the report, create a Launchpad bug if necessary, prefix the
56
+description with an `embargo reminder`_, add an ossa bugtask and
57
+subscribe the project's core security review team for confirmation
58
+of impact and determination of affected branches. Reports starting
59
+with an *Incomplete* ossa bugtask should have a corresponding
60
+`incomplete reception`_ message added in a comment. Once the VMT
61
+confirms an OSSA is warranted, the ossa bugtask status will be set
62
+to *Confirmed*. If the need for an OSSA is challenged, the ossa
63
+bugtask status should be set back to *Incomplete* until that
64
+question is resolved.
65
+
66
+For some lower-risk issues or problems which may only be easy to
67
+solve in future releases, the ossa bugtask will be set to *Opinion*
68
+and the core security reviewers for the OpenStack Security team will
69
+be subscribed to determine whether they wish to issue an OSSN (these
70
+reports may still sometimes remain under embargo until the OSSN is
71
+issued). If no OSSA is warranted and there is no benefit to an OSSN_
72
+then the ossa bugtask will be set to *Won't Fix* or *Invalid*
73
+(depending on the specific situation) and the bug state switched
74
+from *Private Security* to *Public*, optionally adding the
75
+*security* bug tag if the report concerns a potential security
76
+hardening opportunity. The specifics are indexed in the `report
77
+taxonomy`_ and `task status`_ tables.
78
+
79
+.. _embargo reminder: #reception-embargo-reminder-private-issues
80
+.. _incomplete reception: #reception-incomplete-message-unconfirmed-issues
81
+.. _OSSN: https://wiki.openstack.org/wiki/Security_Notes
82
+.. _report taxonomy: #incident-report-taxonomy
83
+.. _task status: #ossa-task-status
84
+
85
+Patch development
86
+^^^^^^^^^^^^^^^^^
65 87
 
66
-.. _Vulnerability Management Liaison: https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management
88
+For a private report, the reporter (automatic if reported directly
89
+as a bug) and the affected projects' core security review teams plus
90
+anyone they deem necessary to develop and validate a fix are added
91
+to the bug's subscription list. A fix is proposed as a patch to the
92
+current master branch (as well as any affected supported branches)
93
+and attached to the private bug report, **not sent to the public
94
+code review system**.
67 95
 
68
-Patch Development
69
-^^^^^^^^^^^^^^^^^
96
+For public reports, there is no need to directly subscribe anyone
97
+and patches can be submitted directly to the code review system
98
+instead of as bug attachments (though the bug should be referenced
99
+in any commit messages so it will be updated automatically).
70 100
 
71
-The reporter, or the PTL, or any person that the PTL deems necessary
72
-to develop the fix is added to the security bug subscription list. A
73
-fix is proposed as a patch to the current master branch (as well as
74
-any affected supported branches) and attached to the bug.
101
+If project-side delays are encountered at this or any subsequent
102
+stage of the process, the VMT and other interested parties may reach
103
+out to that project's `Vulnerability Management Liaison`_ requesting
104
+more immediate attention to the issue.
75 105
 
76
-Patch Review
106
+.. _Vulnerability Management Liaison: https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management
107
+
108
+Patch review
77 109
 ^^^^^^^^^^^^
78 110
 
79
-Once the initial patch has been posted, core developers of the
80
-project are added to the bug subscription list so that the proposed
81
-patch can be pre-approved for merging. Patches need to be
82
-pre-approved so that they can be fast-tracked through review at
111
+For a private report once the initial patch has been attached to the
112
+bug, core reviewers on the subscription list from the project in
113
+question should review it and suggest updates or pre-approve it for
114
+merging. Privately-developed patches need to be pre-approved so that
115
+they can be fast-tracked through public code review later at
83 116
 disclosure time.
84 117
 
85
-Draft Impact Description
118
+For public reports, OpenStack's usual public code review and
119
+approval processes apply.
120
+
121
+Draft impact description
86 122
 ^^^^^^^^^^^^^^^^^^^^^^^^
87 123
 
88 124
 In the mean time, the VMT coordinator prepares a vulnerability
@@ -96,13 +132,13 @@ describe impact and mitigation mechanisms. The VMT coordinator
96 132
 should use the template below. Once the description is posted, the
97 133
 ossa bugtask status should be switched to *Triaged*.
98 134
 
99
-Review Impact Description
135
+Review impact description
100 136
 ^^^^^^^^^^^^^^^^^^^^^^^^^
101 137
 
102 138
 The description is validated by the reporter and the PTL.
103 139
 
104
-CVE Assignment
105
-^^^^^^^^^^^^^^
140
+Send CVE request
141
+^^^^^^^^^^^^^^^^
106 142
 
107 143
 To ensure full traceability, we get a CVE assigned before the issue
108 144
 is communicated to a larger public. This is generally done as the
@@ -112,14 +148,14 @@ an encrypted+signed email in order to get a CVE assigned. If the
112 148
 issue is already public, the CVE request should be sent to the
113 149
 oss-security list instead, including links to public bugs.
114 150
 
115
-Get Assigned CVE
151
+Get assigned CVE
116 152
 ^^^^^^^^^^^^^^^^
117 153
 
118 154
 The CNA returns the assigned CVE. It is added to the Launchpad bug
119 155
 (see "link to CVE" at the top-right), and the bug is retitled to
120 156
 "$TITLE ($CVE)".
121 157
 
122
-Embargoed Disclosure
158
+Embargoed disclosure
123 159
 ^^^^^^^^^^^^^^^^^^^^
124 160
 
125 161
 Once the patches are approved and the CVE is assigned, a signed
@@ -140,8 +176,8 @@ advance notification is sent. Instead the OSSA bugtask is set to fix
140 176
 committed status once the CVE assignment is received OSSA is
141 177
 drafting begins immediately.
142 178
 
143
-Open Bug, Push Patches
144
-^^^^^^^^^^^^^^^^^^^^^^
179
+Open bug, Push patch
180
+^^^^^^^^^^^^^^^^^^^^
145 181
 
146 182
 In preparation for this, make sure you have a core developer and a
147 183
 stable maintainer available to help pushing the fix at disclosure
@@ -161,6 +197,15 @@ test runs to complete), publish the advisory to the OpenStack ML.
161 197
 Wait until all patches merged to supported branches before setting
162 198
 the ossa bugtask status to *Fix released*.
163 199
 
200
+All patches merged
201
+^^^^^^^^^^^^^^^^^^
202
+
203
+Patches approved in code review do not necessarily merge
204
+immediately, but should be tracked closely until they do (if the bug
205
+number is correctly identified in commit messages then it will be
206
+automatically updated to reflect this as well). Subsequent security
207
+point releases of affected software may then be tagged if warranted.
208
+
164 209
 Incident Report Taxonomy
165 210
 ------------------------
166 211
 
@@ -255,7 +300,7 @@ Vulnerability reporters retain final control over the disclosure of
255 300
 their findings. If for some reason they are uncomfortable with our
256 301
 process, their choice of disclosure terms prevails.
257 302
 
258
-Embargo Exceptions
303
+Embargo exceptions
259 304
 ^^^^^^^^^^^^^^^^^^
260 305
 
261 306
 To keep the embargo period short and effective, the VMT may
@@ -267,7 +312,7 @@ Whenever such a case occurs, the ossg-coresec group is
267 312
 subscribed to the bug report in order to discuss whether or not
268 313
 it's imperative to keep that particular bug private.
269 314
 
270
-Downstream Stakeholders
315
+Downstream stakeholders
271 316
 ^^^^^^^^^^^^^^^^^^^^^^^
272 317
 
273 318
 OpenStack as an upstream project is used in a number of
@@ -288,7 +333,7 @@ please submit an email with a rationale to member(s) of the VMT_.
288 333
 Templates
289 334
 ---------
290 335
 
291
-Reception Incomplete Message (Unconfirmed Issues)
336
+Reception incomplete message (unconfirmed issues)
292 337
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
293 338
 
294 339
 Since this report concerns a possible security risk, an incomplete
@@ -297,7 +342,7 @@ reviewers for the affected project or projects confirm the bug and
297 342
 discuss the scope of any vulnerability along with potential
298 343
 solutions.
299 344
 
300
-Reception Embargo Reminder (Private Issues)
345
+Reception embargo reminder (private issues)
301 346
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
302 347
 
303 348
 This issue is being treated as a potential security risk under
@@ -313,7 +358,7 @@ those who are made aware of the issue prior to publication. All
313 358
 discussion should remain confined to this private bug report, and
314 359
 any proposed fixes should be added to the bug as attachments.
315 360
 
316
-Impact Description ($DESCRIPTION)
361
+Impact description ($DESCRIPTION)
317 362
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
318 363
 
319 364
 ::
@@ -349,7 +394,7 @@ open-ended:
349 394
 
350 395
     Affects: <=8.1.0 and ==9.0.0
351 396
 
352
-CVE Request Email (Private Issues)
397
+CVE request email (private issues)
353 398
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
354 399
 
355 400
 * *To:* CNA
@@ -371,10 +416,9 @@ CVE Request Email (Private Issues)
371 416
     $VMT_COORDINATOR_NAME
372 417
     OpenStack Vulnerability Management Team
373 418
 
374
-
375 419
 Email must be GPG-signed and GPG-encrypted.
376 420
 
377
-CVE Request Email (Public Issues)
421
+CVE request email (public issues)
378 422
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
379 423
 
380 424
 * *To:* oss-security@lists.openwall.com
@@ -385,8 +429,8 @@ CVE Request Email (Public Issues)
385 429
 
386 430
     A vulnerability was discovered in OpenStack (see below). In order to
387 431
     ensure full traceability, we need a CVE number assigned that we can
388
-    attach to further notifications. This issue is already public, although an
389
-    advisory was not sent yet.
432
+    attach to further notifications. This issue is already public,
433
+    although an advisory was not sent yet.
390 434
 
391 435
     $DESCRIPTION
392 436
 
@@ -395,42 +439,51 @@ CVE Request Email (Public Issues)
395 439
 
396 440
     Thanks in advance,
397 441
 
398
-    --
442
+    -- 
399 443
     $VMT_COORDINATOR_NAME
400 444
     OpenStack Vulnerability Management Team
401 445
 
402 446
 Email must be GPG-signed but not encrypted.
403 447
 
404
-Downstream Stakeholders Notification Email (Private Issues)
448
+Downstream stakeholders notification email (private issues)
405 449
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
406 450
 
451
+We send two separate emails, to avoid off-topic replies to linux-distros:
452
+
407 453
 * *To:* embargo-notice@lists.openstack.org
454
+* *To:* linux-distros@vs.openwall.org
455
+
456
+Subject and content for both emails is identical:
457
+
408 458
 * *Subject:* [pre-OSSA] Vulnerability in OpenStack $PROJECT ($CVE)
409 459
 
410 460
 ::
411 461
 
412
-    This is an advance warning of a vulnerability discovered in OpenStack,
413
-    to give you, as downstream stakeholders, a chance to coordinate the
414
-    release of fixes and reduce the vulnerability window. Please treat the
415
-    following information as confidential until the proposed public
416
-    disclosure date.
462
+    This is an advance warning of a vulnerability discovered in
463
+    OpenStack, to give you, as downstream stakeholders, a chance to
464
+    coordinate the release of fixes and reduce the vulnerability window.
465
+    Please treat the following information as confidential until the
466
+    proposed public disclosure date.
417 467
 
418 468
     $DESCRIPTION
419 469
 
420 470
     Proposed patch:
421
-    See attached patches. Unless a flaw is discovered in them, these patches
422
-    will be merged to their corresponding branches on the public disclosure date.
471
+    See attached patches. Unless a flaw is discovered in them, these
472
+    patches will be merged to their corresponding branches on the public
473
+    disclosure date.
423 474
 
424 475
     CVE: $CVE
425 476
 
426 477
     Proposed public disclosure date/time:
427 478
     $DISCLOSURE, 1500UTC
428
-    Please do not make the issue public (or release public patches) before
429
-    this coordinated embargo date.
430
-
431
-    Regards,
479
+    Please do not make the issue public (or release public patches)
480
+    before this coordinated embargo date.
432 481
 
433
-    --
482
+    Original private report:
483
+    https://launchpad.net/bugs/$BUG
484
+    For access to read and comment on this report, please reply to me
485
+    with your Launchpad username and I will subscribe you.
486
+    -- 
434 487
     $VMT_COORDINATOR_NAME
435 488
     OpenStack Vulnerability Management Team
436 489
 
@@ -439,8 +492,8 @@ something unique and descriptive for the patch attachment file
439 492
 names, for example ``cve-2013-4183-master-havana.patch`` or
440 493
 ``cve-2013-4183-stable-grizzly.patch``.
441 494
 
442
-OpenStack Security Advisories
443
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
495
+OpenStack security advisories (OSSA)
496
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
444 497
 
445 498
 The document is first submitted as a yaml description to the ossa
446 499
 project using this template::

Loading…
Cancel
Save