Rewrite - Vulnerability Management for Maintainers #129
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
trask
reviewed
Jun 5, 2025
| If Maintainers need assistance with how to handle a security vulnerability: | ||
|
|
||
| 1. For general guidance of a non sensitive nature, Contact the Security SIG | ||
| through the #otel-sig-security channel in the Cloud Native Slack workspace. |
There was a problem hiding this comment.
Suggested change
| through the #otel-sig-security channel in the Cloud Native Slack workspace. | |
| through the [#otel-sig-security](https://cloud-native.slack.com/archives/C05A85QC281) channel in the CNCF Slack workspace. |
Comment on lines
+193
to
+194
| 2. For sensitive guidance specific to an Advisory, reach out to Security SIG | ||
| Maintainers as they have access to all Advisories and can comment directly in |
There was a problem hiding this comment.
Suggested change
| 2. For sensitive guidance specific to an Advisory, reach out to Security SIG | |
| Maintainers as they have access to all Advisories and can comment directly in | |
| 2. For sensitive guidance specific to an Advisory, reach out to [Security SIG | |
| Maintainers](https://github.com/open-telemetry/sig-security#maintainers) as they have access to all Advisories and can comment directly in |
| 1. **Direct Vulnerabilities**: Always request a CVE when a vulnerability exists | ||
| in OTel's own code that could expose users to security risks. | ||
|
|
||
| 2. **Dependency Vulnerabilities**: Request a CVE if: |
There was a problem hiding this comment.
Suggested change
| 2. **Dependency Vulnerabilities**: Request a CVE if: | |
| 2. **Dependency Vulnerabilities**: Request a CVE if these are all true: |
|
|
||
| Note that the vulnerability impact for the OTel executable may be different | ||
| than for the dependency that caused it, depending on how it is used. Do not | ||
| assume that the OTel CVE must have the same score as the dependency's CVE. |
Comment on lines
+231
to
+232
| - The vulnerability only affects consumers who explicitly import both the | ||
| OTel library and the vulnerable dependency |
There was a problem hiding this comment.
I suspect that most dependencies are brought in transitively without explicit import
There was a problem hiding this comment.
also, similar bullets as above probably apply to libraries:
- The executable uses the vulnerable part of the dependency
- The vulnerability can be exploited through the executable's usage patterns
- The vulnerability creates a security impact for users of the executable
There was a problem hiding this comment.
can we have a threshold (Medium or lower) for transitive dependencies that we don't even need to do the analysis for? (as long as we are rolling update into next monthly release)
reyang
reviewed
Jun 9, 2025
Comment on lines
+127
to
+129
| vulnerability details before a fix is available. | ||
| 3. Only add Collaborators who are necessary for investigating or fixing the | ||
| issue. |
There was a problem hiding this comment.
Suggested change
| vulnerability details before a fix is available. | |
| 3. Only add Collaborators who are necessary for investigating or fixing the | |
| issue. | |
| vulnerability details before a fix is available. | |
| 3. Only add Collaborators who are necessary for investigating or fixing the | |
| issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Second part of the updates to the Vulnerability Management documentation.
This is a rewrite of the policies around how maintainers should handle vulnerabilities to match both actual practices and bring consistency to them.