Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Task Force Proposal: Security Vulnerability Disclosure #48

Closed
1 task
tkuhrt opened this issue Jan 26, 2023 · 0 comments
Closed
1 task

Task Force Proposal: Security Vulnerability Disclosure #48

tkuhrt opened this issue Jan 26, 2023 · 0 comments
Labels
task-force-proposal Task Force Proposal

Comments

@tkuhrt
Copy link
Contributor

tkuhrt commented Jan 26, 2023
edited
Loading

Introduction/background material

The Security Task force provided recommendations to the 2022 TSC. One of those recommendations had to do with vulnerability disclosures.

Responsible vulnerability disclosure process does not exist. (Reference: https://github.com/ossf/wg-vulnerability-disclosures)

  • Have project designated contact points as security mavens, helps in auditing.
  • Audits serves as a way to prove that the project took right measures against a potential risk.
  • CVEs will be published in open at the end of 90 days, unless requested for an extension explicitly.

During the discussions with the 2022 TSC, there was concern about mandating vulnerability
disclosure within 90 days.

Of note, Hyperledger documents a responsible disclosure policy in Security Team Policies as:

Responsible Disclosure

  • 48 hours to respond to reporter acknowledging the report.
  • 1 week to triage, report, and coordinate with the affected project maintainers to plan the fix of the bug.
  • 90 days to fix and release a fix or disclose the security bug.
  • Any "critical" errors shall be assigned a CVE number and disclosed through the formal CVE system.

Given this discrepancy in what is documented and what is understood, it seems that we need to revisit this to ensure that all Hyperledger projects understand their responsibilities when it comes to vulnerability disclosure and that we follow consistent practices across the different Hyperledger projects.

Other resources:

Task to be completed

Revisit the responsible disclosure documented policy and update the default template for vulnerability disclosure processes for Hyperledger projects to ensure visibility and consistency across Hyperledger projects.

List of deliverables or work products

  • Default template for vulnerability disclosure processes for Hyperledger projects

Time to complete (no more than 6 months)

TBD

Leader

Arun S M

Initial participant list

  • Venkatraman Ramakrishna (Rama)
  • Arnaud Le Hors
  • Hart Montgomery. I'd like to make this one a priority and can talk about it more. There are good opportunities for collaboration with the OpenSSF.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
task-force-proposal Task Force Proposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tkuhrt