New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify our process for managing security issue #10390
Clarify our process for managing security issue #10390
Conversation
@@ -52,14 +52,18 @@ expected to be closed as soon as they're reviewed. | |||
In order to gain interest and feedback in your feature, we encourage you to | |||
present it to the community through the [community channels](https://www.silverstripe.org/community). | |||
|
|||
## Reporting Security Issues | |||
## Reporting Security Issues {#security-issue} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that's a better anchor than the auto-generated one
See our "[Release Process](/contributing/release_process/#security-releases)" documentation for more info, and | ||
read our guide on [how to write secure code](/developer_guides/security/secure_coding/). | ||
|
||
Silverstripe CMS does not operate a *bug bounty* program. | ||
|
||
Review our [Managing Security Guidelines](Managing-Security-Issues) guidelines to understand what happens once a vulnerability reported. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review our [Managing Security Guidelines](Managing-Security-Issues) guidelines to understand what happens once a vulnerability reported. | |
Review our [Managing Security Guidelines](Managing-Security-Issues) guidelines to understand what happens once a vulnerability is reported. |
@@ -0,0 +1,99 @@ | |||
--- | |||
title: Managing Security Issues | |||
summary: This document highlights how Silverstripe CMS team handles security issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
summary: This document highlights how Silverstripe CMS team handles security issue. | |
summary: This document highlights how the Silverstripe CMS team handles security issue. |
Is "Silverstripe CMS team" the best way to refer to us? I don't think that term is ever used anywhere else.
|
||
# Managing Security Issues | ||
|
||
This document aims to provide a high level overview of how the Silverstripe CMS team handles security issues. Only members of the Silverstripe CMS security team can perform the actions outline in this document. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This document aims to provide a high level overview of how the Silverstripe CMS team handles security issues. Only members of the Silverstripe CMS security team can perform the actions outline in this document. | |
This document aims to provide a high level overview of how the Silverstripe CMS team handles security issues. Only members of the Silverstripe CMS security team can perform the actions outlined in this document. |
|
||
This process is relevant when a potential vulnerability is reported confidentially and the Silverstripe CMS development team is in a position to prepare a patch prior to the public disclosure of the vulnerability. | ||
|
||
This process is usually started once someone [reports a security issue](Issues-and-Bugs/##security-issue). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only one hash - and I think we should revert to the auto-generated anchor
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also I'm not sure if capital letters will work here? The actual URL is all lower case.
|
||
### When receiving a report | ||
|
||
* An automated response is sent back to the reporter to acknowledge receipt of their vulnerability report. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are these indented? Will this render correctly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also what automated response?
|
||
* An automated response is sent back to the reporter to acknowledge receipt of their vulnerability report. | ||
* Perform an initial assessment of the report. | ||
* [Create a issue in our private security repository](https://github.com/silverstripe-security/security-issues/issues/new) unless to report is obviously invalid. e.g. SPAM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* [Create a issue in our private security repository](https://github.com/silverstripe-security/security-issues/issues/new) unless to report is obviously invalid. e.g. SPAM | |
* [Create an issue in our private security repository](https://github.com/silverstripe-security/security-issues/issues/new) unless to report is obviously invalid. e.g. SPAM |
* If encrypted information is provided, attach it to the private security issue. | ||
* Reply to [security@silverstripe.org](mailto:security@silverstripe.org) only with a link to the private security issue. Keep most of the discussion on GitHub. | ||
* Perform initial criticality assessment. Validate assessment with another member of the security team before replying to the reporter with your conclusion. Ensure the reporter is given a justification for all issues we classify or demote as non-security vulnerabilities. You may need to seek additional information from the reporter before completing the criticality assessment. | ||
* Add a new issue in the "Backlog" on the [project board](https://github.com/silverstripe-security/security-issues/projects/1). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds like we create a second issue for the same report - probably would be "move the issue to the backlog" instead?
### Perform release | ||
|
||
* Public disclosure of security vulnerabilities need to happen in stable releases (not pre-releases) | ||
* Merge back from [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repos shortly at the release (minimise early disclosure through source code) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what "merge back" and "shortly at the release" mean...?
Is this cherry-picking the commit shortly before the release?
* [Core committers](core_committers) | ||
|
||
If at any time a release runs into an unsolveable problem contact the | ||
core committers on the [discussion group](https://groups.google.com/forum/#!forum/silverstripe-committers) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be updated, I don’t think it exists anymore?
It's still a WIP PR. But thanks for the early feedback. |
Probably should convert to draft :p |
Note: This should not be merged here. I have started the process of migrating docs to a new repository so this PR should be closed and a new one should be created there. |
New PR can be found here silverstripe/developer-docs#9 |
Parent issue
https://github.com/silverstripeltd/product-issues/issues/533