Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security audit WG disclosure process #3982

Closed
zelivans opened this issue Aug 8, 2019 · 6 comments

Comments

@zelivans
Copy link

commented Aug 8, 2019

The security reports requested by the Security Audit Working Group were released two days ago on Github and published in the CNCF website.

The majority of the issue identified by the researchers in the ToB report have seemingly not been addressed at the time of the release. In the past day the new issues were assigned public GitHub issues. The issues can be tracked under kubernetes/kubernetes#81146.

Some of the issues described in the report should be treated as security enhancements or feature suggestions, and it may be desirable to make them public and open GitHub issues for their discussion. However, there are some issues that should be considered security vulnerabilities that would normally not be disclosed prior to a fix release.

  • Was there any reason for the full release of the reports publicly instead of being solved by a fix team and then released as described in the Kubernetes security release process?

  • Will any CVE IDs be allocated by the Kubernetes CNA for the specific issues that are to be considered security bugs?

@zelivans

This comment has been minimized.

Copy link
Author

commented Aug 8, 2019

/committee product-security
/wg security-audit

@cblecker

This comment has been minimized.

Copy link
Member

commented Aug 8, 2019

@liggitt

This comment has been minimized.

Copy link
Member

commented Aug 8, 2019

  • Was there any reason for the full release of the reports publicly instead of being solved by a fix team and then released as described in the Kubernetes security release process?

The report was disclosed privately and each item reviewed by the product security committee prior to release. All of the identified items were judged to be appropriate to fix via a public issue, for one or more of the following reasons:

@liggitt

This comment has been minimized.

Copy link
Member

commented Aug 8, 2019

/close

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Aug 8, 2019

@liggitt: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@liggitt

This comment has been minimized.

Copy link
Member

commented Aug 8, 2019

Will any CVE IDs be allocated by the Kubernetes CNA for the specific issues that are to be considered security bugs?

Yes, CVE IDs will be issued for security vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.