...
- Ensure that PTL and committers are available
- On the disclosure hour:
- Remove embargo notice from ticket description
- Open the ticket to public
- Push attached patches for review on master
- Notify PTL and committers that patch is ready to be merged
- Publish ONAP security advisory
- Update the ticket title to “[OSA-$NUM] $TITLE”
- Sent notification to MITRE about a publication
Handling public/leaked security issues
What is considered public?
...
There will be occasions where the vulnerability management workflow process is either not followed, or at some stage a party leaks the details of the flaw. In these cases a different workflow is applicable, as there is no longer any need to maintain an embargo. The private security issue workflow can be followed from the "Disclosure date" step onwards.
Communication
Confirmed public security issues
When an issue is leaked
#security-status: confirmed-leaked
This issue has been confirmed as a security vulnerability in { project }. Unfortunately the details of this flaw have been made public { reference_to_leak }.
Therefore it cannot be fixed under the ONAP embargoed security vulnerability process.
As this issue is now public it is important that the flaw is addressed in a timely manner. The ONAP vulnerability sub-committee will ensure that a CVE is assigned for this issue.
When an issue was not reported privately
#security-status: confirmed-public
...
not follow and the issue is publicly disclosed before reporting it to the vulnerability subcommittee. In this case it's important to properly identify the issue and create a task to make it traceable. As the flaw has been already disclosed there is no need to keep the Jira ticket private so it should be sent to publicly available in a very beginning of the process. In general, standard vulnerability management process should be followed, just embargoed disclosure should be skipped.
Steps to be executed:
- Create ticket with issue description in Vulnerability Reporting Jira Project
- Make the ticket publicly visible
- Perform bug triage and CVE request if necessary
- Send email containing triage results to /Agree on email recipients/
- Rest of standard process should be followed, skipping embargoed disclosure step
Leaked security issue workflow
Occasionally it may happen that the bug reporter or some else break the embargo and disclose details of the flaw before official disclosure date. In this case a timely answer is extremely important.
Steps to be executed:
- Make the related ticket publicly visible
- If a patch has been already proposed push it immediately to gerrit
- Skip embargoed disclosure.
- Send email confirming that issue has been leaked to /Agree on email recipients/
- Rest of standard process should be followed and finished as soon as possible.
Roadmap
Action Items
Topic | Assignee | Description | Status | organizational | Stephen | Send out a call for participation and form the ONAP vulnerability sub-committee | infrastructure | Phil | Create a private mailing list for vulnerability management sub-committee | organizational | Vulnerability committee | Elect a chair | infrastructure | Phil | Enable private security issues in JIRA | infrastructure | security sub-committee | Create a public page indicating contact information for the ONAP vulnerability sub-committee. | documentation | Stephen | Create a public page detailing the vulnerability management process and how to report security problems to ONAP | documentation | security sub-committee | Create a single page listing the security issues fixed in ONAP projects (advisories) | communication | security sub-committee | Ensure the new security process is announced on all major mailing lists. |
References
- Common Vulnerabilities and Exposure (https://cve.mitre.org/about/faqs.html )
- CVE numbering authorities (https://cve.mitre.org/cve/cna.html)
- CVE FAQ (https://cve.mitre.org/about/faqs.html#what_is_cve_identifier )
...