...
The description should properly credit the reporter, specify affected versions (including unsupported ones) and accurately describe impact and mitigation mechanisms. The VMS coordinator should use the template below.
Steps to be completed
- Prepare draft of vulnerability description
Review impact description
The description is validated by the reporter and the PTL.
Steps to be completed
- Review the draft of vulnerability description
Send CVE request
If reporter did not request for a CVE number on his or her own, VMS coordinator should attempt to obtain one to ensure full traceability. This is generally done as the patch gets nearer to final approval. The approved impact description is submitted through MITRE’s CVE Request form. The request type is Request a CVE ID, the e-mail address should be that of the requester, and for critical reports the coordinator’s OpenPGP key should be pasted into the field provided.
...
At the bottom of the page, fill in the security code and click the submit request button. If some fields contain invalid data they will be highlighted red; correct these, update the security code and submit request again until you get a confirmation page.
Steps to be completed
- Request CVE number
Get assigned CVE
MITRE returns the assigned CVE. It is added to the jira ticket, and the bug is retitled to “$TITLE ($CVE)”.
Steps to be completed
- Receive the assigned CVE number
- Add received CVE number to the ticket
- Retitle the ticket to “$TITLE ($CVE)”
Embargoed disclosure
Once the patches are approved and the CVE is assigned, a signed email with the vulnerability description is sent to the downstream stakeholders. The disclosure date is set to 3-5 business days, excluding Monday/Friday and holiday periods, at 1500 1400 UTC. No stakeholder is supposed to deploy public patches before disclosure date.
For non-embargoed, public vulnerabilities no separate downstream advance notification is sent.
Coordinated disclosure
Steps to be completed
- Set up disclosure date with the reporter, PTL and required committers.
- Add note about planned disclosure date to the ticket
- Send a signed email with vulnerability description to downstream stakeholders.
Coordinated disclosure
In In preparation for this, make sure you have a commiter committer and a PTL available to help pushing the fix at disclosure time.
...
PTL and committers who pre-approved the patch should, as soon as possible add +2 on pushed patch and merge it.
Update Publish the ONAP Security Advisory and update the ticket title to “[OSA-$NUM] $TITLE”.
...
MITRE’s CVE Request form should be used again at this point, but instead select a request type of Notify CVE about a publication and fill in the coordinator’s e-mail address, provide a link to the advisory (the URL to official OSA), the CVE IDs covered, and the date published. Once more, fill in the security code at the bottom of the page and submit request.
Steps to be completed
- Ensure that PTL and committers are available
- On the disclosure hour:
- Remove embargo notice from ticket description
- Open the ticket to public
- Push attached patches for review on master
- Notify PTL and committers that patch is ready to be merged
- Publish ONAP security advisory
- Update the ticket title to “[OSA-$NUM] $TITLE”
- Sent notification to MITRE about a publication
The security team should provide a judgement call for the severity of the issue for the most common use case of the project. Suggested impact rating categories:
...