forked from cncf/tag-security
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
What: Initial set of project security resources (cncf#733)
* What: Initial set of project security resources Why: * cncf#138 detailed a need for this and was reiterated at a recent mtg. This change addresses the need by: * creating a project resources directory * linking to existing CNCF resources * pulling in content from @annabellegoth2boss recommendation * What: fix spelling issues. * What: correcting the rest of the spelling issues * What: last two fixes * What: Updating with GitHub CNA info Why: * CNCF/LF is not a CNA because GitHub is a CNA This change addresses the need by: * modifying the incident response template to call out the portion of GitHub docs. * What: Adding dependabot info & maintenance Why: * dependabot is a ideal option when enbaled for security updates and configured for versions. * @lumjjb suggested a maintenance section in the readme and that is always smart. This change addresses the need by: * added details to the readme * testing spelling * What: adding disclaimer. * What: Updates per review Why: * @lumjjb brought up some valid items * @jlk correctly pointed out the overuse of the word "issue" and potential confusion This change addresses the need by: * added in @lumjjb's suggestions * swapped `issue` for `problem` where appropriate * improved readability in README.md for maintenance * added disclaimer * What: spelling update * What: Updates per latest review Why: * nits found This change addresses the need by: * resolving nits * What: more nits.
- Loading branch information
1 parent
2618635
commit e1d5fae
Showing
8 changed files
with
354 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
# Security resources for projects | ||
|
||
This directory is intended to provide CNCF and other open source projects with | ||
resources and templates to assist in kick-starting their security practices. The | ||
templates, guides, and other documents herein assist projects in completion of | ||
the [self-assessment](assessments/guide/self-assessment.md) as well as a few | ||
items in the [CII badging](https://bestpractices.coreinfrastructure.org/en) | ||
process. | ||
|
||
A special thank you to [Google's OSS vulnerability guide | ||
folks](https://github.com/google/oss-vulnerability-guide) for making the | ||
Security TAG aware of this collection of resources upon which much of this | ||
content was built on. | ||
|
||
* [SECURITY.md](templates/SECURITY) | ||
* draft security file that outlines subscribing to security bulletins, how | ||
to report issues, and supported versions. | ||
* [SECURITY_CONTACTS.md](templates/SECURITY_CONTACTS) | ||
* a draft security contacts file to allow potential issue submitters to know | ||
who they can expect to hear from or how to follow up on issues. | ||
* [ISSUE_TEMPLATE.md](templates/ISSUE_TEMPLATE.md) | ||
* a draft issue template to remind issue submitters that potential | ||
vulnerabilities **do not** get submitted as issues. | ||
* [incident-response.md](templates/incident-response.md) | ||
* a draft, detailed incident response plan that covers how to triage issues, | ||
confirm vulnerabilities, leverage security advisories, and push a | ||
patch/release. | ||
* [embargo-policy.md](templates/embargo-policy.md) | ||
* a draft embargo policy that outlines the time frame and conditions | ||
surrounding disclosures. | ||
* [embargo.md](templates/embargo.md) | ||
* a draft embargo notification that details the contents a notification should | ||
contain. | ||
|
||
Disclaimer: These resources are designed to be helpful to projects and | ||
organizations, they require customization and configuration by the project | ||
intending to use them. It does not prevent security issues from being found on a | ||
project, will not automatically resolve them, and does not place CNCF Security | ||
TAG as the responsible party. If changes are made to these templates, projects | ||
are not required to pull in a new update. | ||
|
||
## Dependabot Configuration | ||
|
||
All public repositories have dependabot graphs and alerts enabled. Projects are | ||
encouraged to also *[enable Dependabot security | ||
updates](https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates)* | ||
and *create a [custom configuration for their | ||
project](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-version-updates)*. | ||
|
||
## CNCF project templates | ||
|
||
In addition to the security resources provided here, [CNCF's TAG Contributor | ||
Strategy](https://github.com/cncf/tag-contributor-strategy/blob/main/README.md) | ||
has put together an [initial project template | ||
collection](https://github.com/cncf/project-template) with information on | ||
getting started. | ||
|
||
## Updates to this directory | ||
|
||
The project-resources directory is intended to be a living directory to include | ||
a lot of resources and templates any project or community may find useful as | ||
well as making those projects more security aware through simple and | ||
easy-to-adopt documentation. Updates, suggestions for updates, or discussions | ||
for updates should initiate with an | ||
[issue](https://github.com/cncf/tag-security/issues) and labeled with | ||
"suggestion". | ||
|
||
### Contributing updates | ||
|
||
All members of the community and projects are welcome to contribute updates to | ||
this directory. We ask potential contributors to refer to the existing content | ||
and discussions as guidance when determining the content of their updates. | ||
|
||
It is highly recommended that you seek peer review for your updates beyond that | ||
of the Technical Leads and Chairs. More information on contributions to this | ||
repo may be found in the [contributing file](../CONTRIBUTING.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
<!-- | ||
For Security vulnerabilities, please refer to our security page $LINK | ||
--> | ||
# Title | ||
|
||
### Summary | ||
|
||
<!-- | ||
Please provide a brief, high level summary of the issue you are having | ||
--> | ||
|
||
|
||
### Actual Behavior | ||
|
||
<!-- | ||
Please describe, in detail, step-by-step what behavior is occurring. Please | ||
include any screenshots or other relevant files to assist in duplicating the | ||
issue. | ||
--> | ||
|
||
|
||
### Expected Behavior | ||
|
||
<!-- | ||
Please describe, in detail, step-by-step what you expect to occur. | ||
--> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# Security policy | ||
|
||
## Security bulletins | ||
|
||
For information regarding the security of this project please join: | ||
|
||
* $SLACK-CHANNEL | ||
* $EMAIL-LIST | ||
|
||
You may also subscribe to an RSS feed of the above using $LINK. | ||
|
||
## Reporting a vulnerability | ||
|
||
Please use the below process to report a vulnerability to the project: | ||
|
||
Email: | ||
|
||
1. Email the **$NAME**: **$ALIAS** | ||
* Emails should contain: | ||
* description of the problem | ||
* precise and detailed steps (include screenshots) that created the | ||
problem | ||
* the affected version(s) | ||
* any possible mitigations, if known | ||
1. You will receive a reply from one of the maintainers within **$X days** | ||
acknowledging receipt of the email. | ||
1. You may be contacted by a **$PERSON** to further discuss the reported item. | ||
Please bear with us as we seek to understand the breadth and scope of the | ||
reported problem, recreate it, and confirm if there is a vulnerability | ||
present. | ||
|
||
Web Form: | ||
|
||
1. Please visit **$LINK** | ||
* You will receive a confirmation email upon submission | ||
1. You may be contacted by a **$PERSON** to further discuss the reported item | ||
within **$X days**. Please bear with us as we seek to understand the breadth | ||
and scope of the reported problem, recreate it, and confirm if there is an | ||
vulnerability present. | ||
|
||
This project follows a **$X day disclosure timeline**. Refer to our embargo | ||
policy **$LINK** for more information. | ||
|
||
## Supported Versions | ||
|
||
Information regarding supported versions of this project can be found on | ||
**$LINK** located on the **$WEBSITE** and in the below table: | ||
|
||
| Version | Supported | | ||
| --- | --- | | ||
| x.xx.x | :white_check_mark: | | ||
| <=x.xx.x | :x: | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# Security Contacts | ||
|
||
Defined below are the security persons of contact for this project. If you have | ||
questions regarding the triaging and handling of incoming problems, they may be | ||
contacted. | ||
|
||
The following security contacts have agreed to abide by the Embargo Policy $LINK | ||
and will be removed and replaced if found to be in violation of that agreement. | ||
|
||
DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, USE THE | ||
INSTRUCTIONS AT $LINK | ||
|
||
Security Contacts: | ||
|
||
* $NAME: $ALIAS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# Embargo Policy | ||
|
||
This policy forbids members of this project's security contacts $LINK and others | ||
defined below from sharing information outside of the security contacts and this | ||
listing without need-to-know and advance notice. | ||
|
||
The information members and others receive from the list defined below must: | ||
|
||
* not be made public, | ||
* not be shared, | ||
* not be hinted at | ||
* must be kept confidential and close held | ||
|
||
Except with the list's explicit approval. This holds true until the public | ||
disclosure date/time that was agreed upon by the list. | ||
|
||
If information is inadvertently shared beyond what is allowed by this policy, | ||
you are REQUIRED to inform the security contacts $LINK of exactly what | ||
information leaked and to whom. A retrospective will take place after the leak | ||
so we can assess how to not make this mistake in the future. | ||
|
||
Violation of this policy will result in the immediate removal and subsequent | ||
replacement of you from this list or the Security Contacts. | ||
|
||
## Disclosure Timeline | ||
|
||
This project sustains a **$X day disclosure timeline** to ensure we provide a | ||
quality, tested release. On some occasions, we may need to extend this timeline | ||
due to complexity of the problem, lack of expertise available, or other reasons. | ||
Submitters will be notified if an extension occurs. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Notice of Embargo | ||
|
||
This is an embargoed notification that a vulnerability has been discovered in | ||
$PROJECT. This notice has been sent to subscribed distributors and service | ||
providers in order to allow for timely patching. You are receiving this | ||
notification as you have agreed to abide by the embargo policy ($LINK) on this | ||
project. Do not forward this information to other parties without complying with | ||
the instructions of the embargo policy. | ||
|
||
## Summary | ||
|
||
*2-3 sentences describing the vulnerability using technical details. This should | ||
only contain enough information to be able to make a quick determination of what | ||
the vulnerability is about.* | ||
|
||
### CVE | ||
|
||
#### $CVE-NUMBER | ||
|
||
### Versions | ||
|
||
#### $VERSION | ||
|
||
### Severity - [low, medium, high, critical] | ||
|
||
*Provide an attack scenario or other information to explain the risk associated. | ||
Use details gathered from the triage.* | ||
|
||
### Proof of Concept | ||
|
||
*Provide exact code or command lines in order to offer usable, precise, and | ||
repeatable methods for a subscriber to reproduce the problem and test fixes and | ||
mitigations.* | ||
|
||
### Remediation and Mitigation | ||
|
||
*Provide information on the known remediation or planned patch. Be sure to list | ||
when it will be available or links to where the patch will be available.* | ||
|
||
### Additional information | ||
|
||
*If you have additional information to provide, be sure to include it here.* | ||
|
||
## Timeline | ||
|
||
**Date reported:** DD MMM YYYY | ||
**Date fixed:** DD MMM YYYY | ||
**Date to be disclosed:** DD MMM YYYY | ||
|
||
### Public disclosure date: $DATE $TIME $TIMEZONE | ||
|
||
**Do not:** | ||
|
||
* make this problem public, | ||
* issue communications hinting at or regarding this, | ||
* share this with others, | ||
* issue public patches before the disclosure date | ||
|
||
This list will be notified immediately if the disclosure date is at risk or | ||
changes. Questions should be directed to the security contacts $LINK. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
# Incident response | ||
|
||
This serves to define how potential security issues should be triaged, how | ||
confirmation occurs, providing the notification, and issuing a security advisory | ||
as well as patch/release. | ||
|
||
## Triage | ||
|
||
### Identify the problem | ||
|
||
Triaging problems allows maintainers to focus resources on the most critically | ||
impacting problems. Potential security problems should be evaluated against the | ||
following information: | ||
|
||
* Which component(s) of the project is impacted? | ||
* What kind of problem is this? | ||
* privilege escalation | ||
* credential access | ||
* code execution | ||
* exfiltration | ||
* lateral movement | ||
* $CONTEXT_SPECIFIC_ISSUE | ||
* How complex is the problem? | ||
* Is user interaction required? | ||
* What privileges are required for this problem to occur? | ||
* admin | ||
* general | ||
* $CONTEXT_SPECIFIC_PRIVILEGE | ||
* What is the potential impact or consequence of the problem? | ||
* Does an exploit exist? | ||
|
||
Any potential problem that has an exploit, permits privilege escalation, is | ||
simple, and does not require user interaction should be evaluated immediately. | ||
[CVSS Version 3.1](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator) can be | ||
a helpful tool in evaluating the criticality of reported problems. | ||
|
||
### Acknowledge receipt of the problem | ||
|
||
Respond to the reporter and notify them you have received the problem and have | ||
begun reviewing it. Remind them of the embargo policy, and provide them | ||
information on who to contact/follow-up with if they have questions. Estimate a | ||
time frame that they can expect to receive an update on the problem. Create a | ||
calendar reminder to contact them again by that date to provide an update. | ||
|
||
### Replicate the problem | ||
|
||
Follow the instructions relayed in the problem. If the instructions are | ||
insufficient, contact the reporter and ask for more information. | ||
|
||
If the problem cannot be replicated, re-engage the reporter, let them know it | ||
cannot be replicated, and work with them to find a remediation. | ||
|
||
If the problem can be replicated, re-evaluate the criticality of the problem, and | ||
begin working on a remediation. Begin a draft security advisory. | ||
|
||
Notify the reporter you were able to replicate the problem and have begun working | ||
on a fix. Remind them of the embargo policy. If necessary, notify them of an | ||
extension (only for very complex problems where remediation cannot be issued | ||
within the project's specified window). | ||
|
||
#### Request a CVE number | ||
|
||
If a CVE has already been provided, be sure to include it on the advisory. If | ||
one has not yet been created, [GitHub functions as a | ||
CNA](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories#cve-identification-numbers) | ||
and allows you to request one as part of the security advisory process. Provide | ||
all required information and as much optional information as we can. The CVE | ||
number is shown as reserved with no further details until notified it has been | ||
published. | ||
|
||
## Notification | ||
|
||
Once the problem has been replicated and a remediation is in place, notify | ||
subscribed parties with a security bulletin and the expected publishing date. | ||
|
||
## Publish and release | ||
|
||
Once a CVE number has been assigned, publish and release the updated | ||
version/patch. Be sure to notify the CVE group when published so the CVE details | ||
are searchable. Be sure to give credit to the reporter by *[editing the security | ||
advisory](https://docs.github.com/en/github/managing-security-vulnerabilities/editing-a-security-advisory#about-credits-for-security-advisories)* | ||
as they took the time to notify and work with you on the problem! | ||
|
||
### Issue a security advisory | ||
|
||
Follow the instructions from [GitHub to publish the security advisory previously | ||
drafted](https://docs.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory). | ||
|
||
For more information on security advisories, please refer to the [GitHub | ||
Article](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories). |