Versions Compared

Old Version 23

changes.mady.by.user Krzysztof Opasiak

Saved on

compared with

New Version 24

changes.mady.by.user Krzysztof Opasiak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NOTICE

THIS IS STILL WIP and has not been approved by TSC yet. If you would like to report a security issue please refer to current procedure .

Glossary

Term  

Definition  

Embargo

A time period where key ONAP stakeholders have access to details concerning the security vulnerability, with an understanding not to publish these details or the fixes they have prepared. The embargo ends with a coordinated release date (CRD). (adapted from source)

Subject Matter Expert (SME)

A developer or other specialist who can provide contextual information that helps to determine the validity and impact of a potential  security vulnerability.

Security SME

A security SME is a specialist who is familiar with the ONAP security vulnerability procedures and security in general.

Peer reviewed

In the context of a patch, the term peer reviewed refers to the patch having been reviewed by the ONAP vulnerability sub-committee and any other relevant key stakeholders. There is not yet a strict definition of the number   of people who need to have reviewed the patch, or how they provide sign off.

...


Credits

This document is strongly based on Vulnerability Management Process defined by Open Stack Community.

...

A report can be received either as a ticket in Vulnerability Reporting Jira Project/Insert link when created/, or as a private encrypted email to one of the VMS members /Insert a link to a suitable page/ .

Steps that has to be completed depend on reception method:

...

  1. Make the related ticket publicly visible
  2. If a patch has been already proposed push it immediately to gerrit
  3. Skip embargoed disclosure.
  4. Send email confirming that issue has been leaked to ONAP TSC Chair and LFN representative (Kenny Paul and Jim Baker)
  5. Rest of standard process should be followed and finished as soon as possible.

Roadmap

Action Items

...

Topic

...

Assignee

...

Description

...


References

  1. Common Vulnerabilities and Exposure (https://cve.mitre.org/about/faqs.html )
  2. CVE  numbering authorities (https://cve.mitre.org/cve/cna.html)
  3. CVE FAQ (https://cve.mitre.org/about/faqs.html#what_is_cve_identifier )

...