Update process documentation for current practices
Realign document sections with flowchart labels, add more clarification between public and private report differences at some stages, wrap E-mail templates at 68 columns for ML-friendliness, specify that embargo notices are sent separately to the linux-distros list to avoid crossposting, and include a bug reference in the pre-OSSA template with instructions on requesting private bug subscription. Change-Id: I6503fe19b0c83d439763073c2b858ad731bce889
This commit is contained in:
parent
53a4f33f88
commit
aaf503aec8
|
@ -1,4 +1,4 @@
|
||||||
.. :Copyright: 2015, OpenStack Vulnerability Management Team
|
.. :Copyright: 2017, OpenStack Vulnerability Management Team
|
||||||
.. :License: This work is licensed under a Creative Commons
|
.. :License: This work is licensed under a Creative Commons
|
||||||
Attribution 3.0 Unported License.
|
Attribution 3.0 Unported License.
|
||||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
@ -25,9 +25,10 @@ Supported versions
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
The Vulnerability Management team coordinates patches fixing
|
The Vulnerability Management team coordinates patches fixing
|
||||||
vulnerabilities in one or two previous releases of OpenStack, in
|
vulnerabilities in supported stable branches (corresponding to
|
||||||
addition to the master branch (next version under development), for
|
previous major releases) of OpenStack, in addition to the master
|
||||||
all `security supported projects`_.
|
branch (next version under development), for all `security supported
|
||||||
|
projects`_.
|
||||||
|
|
||||||
.. _security supported projects: http://governance.openstack.org/reference/tags/vulnerability_managed.html
|
.. _security supported projects: http://governance.openstack.org/reference/tags/vulnerability_managed.html
|
||||||
|
|
||||||
|
@ -48,41 +49,76 @@ Reception
|
||||||
|
|
||||||
A report can be received either as a private encrypted email to one
|
A report can be received either as a private encrypted email to one
|
||||||
of the VMT members, or as a Launchpad security bug (check the box
|
of the VMT members, or as a Launchpad security bug (check the box
|
||||||
marked "this is a security issue"). Reports received in private
|
marked "this is a security issue").
|
||||||
should have their bug description prefaced by an embargo reminder
|
|
||||||
which can be removed once the bug is switched to a public state.
|
|
||||||
|
|
||||||
The first steps are to confirm the validity of the report, create a
|
The first steps performed by the VMT are to confirm the validity of
|
||||||
Launchpad bug if necessary, add an ossa bugtask and subscribe the
|
the report, create a Launchpad bug if necessary, prefix the
|
||||||
project's core security review team or `Vulnerability Management
|
description with an `embargo reminder`_, add an ossa bugtask and
|
||||||
Liaison`_ for confirmation of impact and determination of
|
subscribe the project's core security review team for confirmation
|
||||||
affected branches. Reports starting with an "Incomplete" ossa
|
of impact and determination of affected branches. Reports starting
|
||||||
bugtask should have a corresponding incomplete reception message
|
with an *Incomplete* ossa bugtask should have a corresponding
|
||||||
added in a comment. Once we confirm that we will issue an OSSA for
|
`incomplete reception`_ message added in a comment. Once the VMT
|
||||||
it, switch the ossa bugtask status to *Confirmed*. If the need for
|
confirms an OSSA is warranted, the ossa bugtask status will be set
|
||||||
an OSSA is challenged, the ossa bugtask status should be set to
|
to *Confirmed*. If the need for an OSSA is challenged, the ossa
|
||||||
*Incomplete* until that question is resolved.
|
bugtask status should be set back to *Incomplete* until that
|
||||||
|
question is resolved.
|
||||||
|
|
||||||
|
For some lower-risk issues or problems which may only be easy to
|
||||||
|
solve in future releases, the ossa bugtask will be set to *Opinion*
|
||||||
|
and the core security reviewers for the OpenStack Security team will
|
||||||
|
be subscribed to determine whether they wish to issue an OSSN (these
|
||||||
|
reports may still sometimes remain under embargo until the OSSN is
|
||||||
|
issued). If no OSSA is warranted and there is no benefit to an OSSN_
|
||||||
|
then the ossa bugtask will be set to *Won't Fix* or *Invalid*
|
||||||
|
(depending on the specific situation) and the bug state switched
|
||||||
|
from *Private Security* to *Public*, optionally adding the
|
||||||
|
*security* bug tag if the report concerns a potential security
|
||||||
|
hardening opportunity. The specifics are indexed in the `report
|
||||||
|
taxonomy`_ and `task status`_ tables.
|
||||||
|
|
||||||
|
.. _embargo reminder: #reception-embargo-reminder-private-issues
|
||||||
|
.. _incomplete reception: #reception-incomplete-message-unconfirmed-issues
|
||||||
|
.. _OSSN: https://wiki.openstack.org/wiki/Security_Notes
|
||||||
|
.. _report taxonomy: #incident-report-taxonomy
|
||||||
|
.. _task status: #ossa-task-status
|
||||||
|
|
||||||
|
Patch development
|
||||||
|
^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
For a private report, the reporter (automatic if reported directly
|
||||||
|
as a bug) and the affected projects' core security review teams plus
|
||||||
|
anyone they deem necessary to develop and validate a fix are added
|
||||||
|
to the bug's subscription list. A fix is proposed as a patch to the
|
||||||
|
current master branch (as well as any affected supported branches)
|
||||||
|
and attached to the private bug report, **not sent to the public
|
||||||
|
code review system**.
|
||||||
|
|
||||||
|
For public reports, there is no need to directly subscribe anyone
|
||||||
|
and patches can be submitted directly to the code review system
|
||||||
|
instead of as bug attachments (though the bug should be referenced
|
||||||
|
in any commit messages so it will be updated automatically).
|
||||||
|
|
||||||
|
If project-side delays are encountered at this or any subsequent
|
||||||
|
stage of the process, the VMT and other interested parties may reach
|
||||||
|
out to that project's `Vulnerability Management Liaison`_ requesting
|
||||||
|
more immediate attention to the issue.
|
||||||
|
|
||||||
.. _Vulnerability Management Liaison: https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management
|
.. _Vulnerability Management Liaison: https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management
|
||||||
|
|
||||||
Patch Development
|
Patch review
|
||||||
^^^^^^^^^^^^^^^^^
|
|
||||||
|
|
||||||
The reporter, or the PTL, or any person that the PTL deems necessary
|
|
||||||
to develop the fix is added to the security bug subscription list. A
|
|
||||||
fix is proposed as a patch to the current master branch (as well as
|
|
||||||
any affected supported branches) and attached to the bug.
|
|
||||||
|
|
||||||
Patch Review
|
|
||||||
^^^^^^^^^^^^
|
^^^^^^^^^^^^
|
||||||
|
|
||||||
Once the initial patch has been posted, core developers of the
|
For a private report once the initial patch has been attached to the
|
||||||
project are added to the bug subscription list so that the proposed
|
bug, core reviewers on the subscription list from the project in
|
||||||
patch can be pre-approved for merging. Patches need to be
|
question should review it and suggest updates or pre-approve it for
|
||||||
pre-approved so that they can be fast-tracked through review at
|
merging. Privately-developed patches need to be pre-approved so that
|
||||||
|
they can be fast-tracked through public code review later at
|
||||||
disclosure time.
|
disclosure time.
|
||||||
|
|
||||||
Draft Impact Description
|
For public reports, OpenStack's usual public code review and
|
||||||
|
approval processes apply.
|
||||||
|
|
||||||
|
Draft impact description
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
In the mean time, the VMT coordinator prepares a vulnerability
|
In the mean time, the VMT coordinator prepares a vulnerability
|
||||||
|
@ -96,13 +132,13 @@ describe impact and mitigation mechanisms. The VMT coordinator
|
||||||
should use the template below. Once the description is posted, the
|
should use the template below. Once the description is posted, the
|
||||||
ossa bugtask status should be switched to *Triaged*.
|
ossa bugtask status should be switched to *Triaged*.
|
||||||
|
|
||||||
Review Impact Description
|
Review impact description
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
The description is validated by the reporter and the PTL.
|
The description is validated by the reporter and the PTL.
|
||||||
|
|
||||||
CVE Assignment
|
Send CVE request
|
||||||
^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
To ensure full traceability, we get a CVE assigned before the issue
|
To ensure full traceability, we get a CVE assigned before the issue
|
||||||
is communicated to a larger public. This is generally done as the
|
is communicated to a larger public. This is generally done as the
|
||||||
|
@ -112,14 +148,14 @@ an encrypted+signed email in order to get a CVE assigned. If the
|
||||||
issue is already public, the CVE request should be sent to the
|
issue is already public, the CVE request should be sent to the
|
||||||
oss-security list instead, including links to public bugs.
|
oss-security list instead, including links to public bugs.
|
||||||
|
|
||||||
Get Assigned CVE
|
Get assigned CVE
|
||||||
^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
The CNA returns the assigned CVE. It is added to the Launchpad bug
|
The CNA returns the assigned CVE. It is added to the Launchpad bug
|
||||||
(see "link to CVE" at the top-right), and the bug is retitled to
|
(see "link to CVE" at the top-right), and the bug is retitled to
|
||||||
"$TITLE ($CVE)".
|
"$TITLE ($CVE)".
|
||||||
|
|
||||||
Embargoed Disclosure
|
Embargoed disclosure
|
||||||
^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
Once the patches are approved and the CVE is assigned, a signed
|
Once the patches are approved and the CVE is assigned, a signed
|
||||||
|
@ -140,8 +176,8 @@ advance notification is sent. Instead the OSSA bugtask is set to fix
|
||||||
committed status once the CVE assignment is received OSSA is
|
committed status once the CVE assignment is received OSSA is
|
||||||
drafting begins immediately.
|
drafting begins immediately.
|
||||||
|
|
||||||
Open Bug, Push Patches
|
Open bug, Push patch
|
||||||
^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
In preparation for this, make sure you have a core developer and a
|
In preparation for this, make sure you have a core developer and a
|
||||||
stable maintainer available to help pushing the fix at disclosure
|
stable maintainer available to help pushing the fix at disclosure
|
||||||
|
@ -161,6 +197,15 @@ test runs to complete), publish the advisory to the OpenStack ML.
|
||||||
Wait until all patches merged to supported branches before setting
|
Wait until all patches merged to supported branches before setting
|
||||||
the ossa bugtask status to *Fix released*.
|
the ossa bugtask status to *Fix released*.
|
||||||
|
|
||||||
|
All patches merged
|
||||||
|
^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Patches approved in code review do not necessarily merge
|
||||||
|
immediately, but should be tracked closely until they do (if the bug
|
||||||
|
number is correctly identified in commit messages then it will be
|
||||||
|
automatically updated to reflect this as well). Subsequent security
|
||||||
|
point releases of affected software may then be tagged if warranted.
|
||||||
|
|
||||||
Incident Report Taxonomy
|
Incident Report Taxonomy
|
||||||
------------------------
|
------------------------
|
||||||
|
|
||||||
|
@ -255,7 +300,7 @@ Vulnerability reporters retain final control over the disclosure of
|
||||||
their findings. If for some reason they are uncomfortable with our
|
their findings. If for some reason they are uncomfortable with our
|
||||||
process, their choice of disclosure terms prevails.
|
process, their choice of disclosure terms prevails.
|
||||||
|
|
||||||
Embargo Exceptions
|
Embargo exceptions
|
||||||
^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
To keep the embargo period short and effective, the VMT may
|
To keep the embargo period short and effective, the VMT may
|
||||||
|
@ -267,7 +312,7 @@ Whenever such a case occurs, the ossg-coresec group is
|
||||||
subscribed to the bug report in order to discuss whether or not
|
subscribed to the bug report in order to discuss whether or not
|
||||||
it's imperative to keep that particular bug private.
|
it's imperative to keep that particular bug private.
|
||||||
|
|
||||||
Downstream Stakeholders
|
Downstream stakeholders
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
OpenStack as an upstream project is used in a number of
|
OpenStack as an upstream project is used in a number of
|
||||||
|
@ -288,7 +333,7 @@ please submit an email with a rationale to member(s) of the VMT_.
|
||||||
Templates
|
Templates
|
||||||
---------
|
---------
|
||||||
|
|
||||||
Reception Incomplete Message (Unconfirmed Issues)
|
Reception incomplete message (unconfirmed issues)
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
Since this report concerns a possible security risk, an incomplete
|
Since this report concerns a possible security risk, an incomplete
|
||||||
|
@ -297,7 +342,7 @@ reviewers for the affected project or projects confirm the bug and
|
||||||
discuss the scope of any vulnerability along with potential
|
discuss the scope of any vulnerability along with potential
|
||||||
solutions.
|
solutions.
|
||||||
|
|
||||||
Reception Embargo Reminder (Private Issues)
|
Reception embargo reminder (private issues)
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
This issue is being treated as a potential security risk under
|
This issue is being treated as a potential security risk under
|
||||||
|
@ -313,7 +358,7 @@ those who are made aware of the issue prior to publication. All
|
||||||
discussion should remain confined to this private bug report, and
|
discussion should remain confined to this private bug report, and
|
||||||
any proposed fixes should be added to the bug as attachments.
|
any proposed fixes should be added to the bug as attachments.
|
||||||
|
|
||||||
Impact Description ($DESCRIPTION)
|
Impact description ($DESCRIPTION)
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
::
|
::
|
||||||
|
@ -349,7 +394,7 @@ open-ended:
|
||||||
|
|
||||||
Affects: <=8.1.0 and ==9.0.0
|
Affects: <=8.1.0 and ==9.0.0
|
||||||
|
|
||||||
CVE Request Email (Private Issues)
|
CVE request email (private issues)
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
* *To:* CNA
|
* *To:* CNA
|
||||||
|
@ -371,10 +416,9 @@ CVE Request Email (Private Issues)
|
||||||
$VMT_COORDINATOR_NAME
|
$VMT_COORDINATOR_NAME
|
||||||
OpenStack Vulnerability Management Team
|
OpenStack Vulnerability Management Team
|
||||||
|
|
||||||
|
|
||||||
Email must be GPG-signed and GPG-encrypted.
|
Email must be GPG-signed and GPG-encrypted.
|
||||||
|
|
||||||
CVE Request Email (Public Issues)
|
CVE request email (public issues)
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
* *To:* oss-security@lists.openwall.com
|
* *To:* oss-security@lists.openwall.com
|
||||||
|
@ -385,8 +429,8 @@ CVE Request Email (Public Issues)
|
||||||
|
|
||||||
A vulnerability was discovered in OpenStack (see below). In order to
|
A vulnerability was discovered in OpenStack (see below). In order to
|
||||||
ensure full traceability, we need a CVE number assigned that we can
|
ensure full traceability, we need a CVE number assigned that we can
|
||||||
attach to further notifications. This issue is already public, although an
|
attach to further notifications. This issue is already public,
|
||||||
advisory was not sent yet.
|
although an advisory was not sent yet.
|
||||||
|
|
||||||
$DESCRIPTION
|
$DESCRIPTION
|
||||||
|
|
||||||
|
@ -395,42 +439,51 @@ CVE Request Email (Public Issues)
|
||||||
|
|
||||||
Thanks in advance,
|
Thanks in advance,
|
||||||
|
|
||||||
--
|
--
|
||||||
$VMT_COORDINATOR_NAME
|
$VMT_COORDINATOR_NAME
|
||||||
OpenStack Vulnerability Management Team
|
OpenStack Vulnerability Management Team
|
||||||
|
|
||||||
Email must be GPG-signed but not encrypted.
|
Email must be GPG-signed but not encrypted.
|
||||||
|
|
||||||
Downstream Stakeholders Notification Email (Private Issues)
|
Downstream stakeholders notification email (private issues)
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
We send two separate emails, to avoid off-topic replies to linux-distros:
|
||||||
|
|
||||||
* *To:* embargo-notice@lists.openstack.org
|
* *To:* embargo-notice@lists.openstack.org
|
||||||
|
* *To:* linux-distros@vs.openwall.org
|
||||||
|
|
||||||
|
Subject and content for both emails is identical:
|
||||||
|
|
||||||
* *Subject:* [pre-OSSA] Vulnerability in OpenStack $PROJECT ($CVE)
|
* *Subject:* [pre-OSSA] Vulnerability in OpenStack $PROJECT ($CVE)
|
||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
This is an advance warning of a vulnerability discovered in OpenStack,
|
This is an advance warning of a vulnerability discovered in
|
||||||
to give you, as downstream stakeholders, a chance to coordinate the
|
OpenStack, to give you, as downstream stakeholders, a chance to
|
||||||
release of fixes and reduce the vulnerability window. Please treat the
|
coordinate the release of fixes and reduce the vulnerability window.
|
||||||
following information as confidential until the proposed public
|
Please treat the following information as confidential until the
|
||||||
disclosure date.
|
proposed public disclosure date.
|
||||||
|
|
||||||
$DESCRIPTION
|
$DESCRIPTION
|
||||||
|
|
||||||
Proposed patch:
|
Proposed patch:
|
||||||
See attached patches. Unless a flaw is discovered in them, these patches
|
See attached patches. Unless a flaw is discovered in them, these
|
||||||
will be merged to their corresponding branches on the public disclosure date.
|
patches will be merged to their corresponding branches on the public
|
||||||
|
disclosure date.
|
||||||
|
|
||||||
CVE: $CVE
|
CVE: $CVE
|
||||||
|
|
||||||
Proposed public disclosure date/time:
|
Proposed public disclosure date/time:
|
||||||
$DISCLOSURE, 1500UTC
|
$DISCLOSURE, 1500UTC
|
||||||
Please do not make the issue public (or release public patches) before
|
Please do not make the issue public (or release public patches)
|
||||||
this coordinated embargo date.
|
before this coordinated embargo date.
|
||||||
|
|
||||||
Regards,
|
Original private report:
|
||||||
|
https://launchpad.net/bugs/$BUG
|
||||||
--
|
For access to read and comment on this report, please reply to me
|
||||||
|
with your Launchpad username and I will subscribe you.
|
||||||
|
--
|
||||||
$VMT_COORDINATOR_NAME
|
$VMT_COORDINATOR_NAME
|
||||||
OpenStack Vulnerability Management Team
|
OpenStack Vulnerability Management Team
|
||||||
|
|
||||||
|
@ -439,8 +492,8 @@ something unique and descriptive for the patch attachment file
|
||||||
names, for example ``cve-2013-4183-master-havana.patch`` or
|
names, for example ``cve-2013-4183-master-havana.patch`` or
|
||||||
``cve-2013-4183-stable-grizzly.patch``.
|
``cve-2013-4183-stable-grizzly.patch``.
|
||||||
|
|
||||||
OpenStack Security Advisories
|
OpenStack security advisories (OSSA)
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
The document is first submitted as a yaml description to the ossa
|
The document is first submitted as a yaml description to the ossa
|
||||||
project using this template::
|
project using this template::
|
||||||
|
|
Loading…
Reference in New Issue