This section contains reference templates for communication used in Vulnerability Management Process.
All the messages should be sent in plain text (may be encrypted if desired) without HTML content.
Reception confirmation email
Message should be signed.
Please double check to not include content of the original bug report in plain text.
Reception confirmation email
Dear {reporter},
Thank you for your report.
We confirm reception of your report. We still did not classified your report but we would like to ensure you that we are looking into this.
We have created a private security issue in JIRA to track this issue:
{jira_issue_url}
If you would like to participate in this ticket please provide us your JIRA username.
We will provide you update on your report status as soon as possible.
--
Thanks
{onap_vulnerability_ sub-committee _member},
on behalf of the ONAP vulnerability sub-committee
Triage confirmation email
Message should be signed.
Triage confirmation email
Dear {reporter},
This issue has been confirmed as a security vulnerability in { project }.
The initially assign severity level is: {severity level}.
Please let us know if you disagree with our assessment.
We would like to get it fixed under the ONAP embargoed security vulnerability process.
Please do not discuss or disclose details about this flaw prior to the agreed disclosure date (TBA).
All decisions, discussions, and proposed patches and reviews are to be done via this tracking issue:
{jira_issue_url}
In general we will request for a CVE number for every confirmed security vulnerability to ensure full traceability.
Please let us know if you have already obtained a CVE number for this issue in order to avoid duplicates.
--
Thanks
{onap_vulnerability_ sub-committee _member},
on behalf of the ONAP vulnerability sub-committee
Coordinated disclosure
Message should be signed.
Coordinated disclosure
Dear {reporter},
We have developed a patch that fixes the reported issue.
The allocated CVE number is: {CVE id}
Now we are approaching final step of our process which is coordinated disclosure.
We scheduled the publication date to {publication date}.
Please contact us immediately if you would like us to modify the disclosure date.
Thank you very much for following responsible disclosure model.
--
{onap_vulnerability_ sub-committee _member},
on behalf of the ONAP vulnerability sub-committee
Impact description
Impact description
Title: $TITLE Reporter: $CREDIT Products: $PROJECT Affects: $AFFECTED_VERSIONS Description: $CREDIT reported a vulnerability in [project feature name]. By doing [action] a [actor] may [impact] resulting in [consequence]. Only [project deployment mode] are affected.
Downstream stakeholders notification email
Message should be signed.
- Subject: [pre-OSA] Vulnerability in ONAP $PROJECT ($CVE)
Downstream stakeholders notification email
This is an advance warning of a vulnerability discovered in
ONAP, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
$DESCRIPTION
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date.
CVE: $CVE
Proposed public disclosure date/time:
$DISCLOSURE, 1400UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report:
{jira_issue_url}
For access to read and comment on this report, please reply to me
with your jira username and I will subscribe you.
--
{onap_vulnerability_ sub-committee _member},
on behalf of the ONAP vulnerability sub-committee
Security issue available in public (not reported privately)
Message should be signed.
- Subject: [pre-OSA] Vulnerability in ONAP $PROJECT ($CVE) has been disclosed
Downstream stakeholders notification email
This is an warning of a vulnerability discovered in ONAP and published
without prior reporting to ONAP Vulnerability management subcommittee.
We will do our best to provide the fix as soon as possible but till then
please be aware of following issue:
$DESCRIPTION
Proposed patch:
There is no patch yet.
Proposed mitigations:
{mitigations if possible}
CVE: $CVE
Public bug report:
{jira_issue_url}
--
{onap_vulnerability_ sub-committee _member},
on behalf of the ONAP vulnerability sub-committee
Security issue available in public (reported privately)
Message should be signed.
- Subject: [pre-OSA] Vulnerability in ONAP $PROJECT ($CVE) has been leaked
Downstream stakeholders notification email
This is an warning of a vulnerability discovered in ONAP and leaked
before our coordinated disclosure.
We will do our best to provide the fix as soon as possible but till then
please be aware of following issue:
$DESCRIPTION
Proposed patch:
{link to patch if any}
Proposed mitigations:
{mitigations if possible and no patch proposed}
CVE: $CVE
Public bug report:
{jira_issue_url}
--
{onap_vulnerability_ sub-committee _member},
on behalf of the ONAP vulnerability sub-committee
ONAP Security Advisories (OSA)
Message should be signed.
- Subject: [pre-OSA] Vulnerability in ONAP $PROJECT ($CVE)
- $CVE must always be of the form CVE-YYYY-XXXX
- $NUM is of the form YYYY-XX
ONAP security advisories (OSA)
date: YYYY-MM-DD
id: OSA-$NUM
title: '$TITLE'
description: '$DESCRIPTION'
affected-products:
- product: $PROJECT
version: $AFFECTED_VERSIONS
vulnerabilities:
- cve-id: $CVE
reporters:
- name: '$CREDIT'
affiliation: $CREDIT_AFFILIATION
reported:
- $CVE
issues:
links:
- {jira_issue_url}
reviews:
$BRANCH:
- {link to gerrit review}
type: gerrit
notes:
- 'Optional note such as cross project version requirements'