Clarify our process for managing security issue #10390
Conversation
| @@ -52,14 +52,18 @@ expected to be closed as soon as they're reviewed. | |||
| In order to gain interest and feedback in your feature, we encourage you to | |||
| present it to the community through the [community channels](https://www.silverstripe.org/community). | |||
|
|
|||
| ## Reporting Security Issues | |||
| ## Reporting Security Issues {#security-issue} | |||
There was a problem hiding this comment.
I don't think that's a better anchor than the auto-generated one
| See our "[Release Process](/contributing/release_process/#security-releases)" documentation for more info, and | ||
| read our guide on [how to write secure code](/developer_guides/security/secure_coding/). | ||
|
|
||
| Silverstripe CMS does not operate a *bug bounty* program. | ||
|
|
||
| Review our [Managing Security Guidelines](Managing-Security-Issues) guidelines to understand what happens once a vulnerability reported. |
There was a problem hiding this comment.
| Review our [Managing Security Guidelines](Managing-Security-Issues) guidelines to understand what happens once a vulnerability reported. | |
| Review our [Managing Security Guidelines](Managing-Security-Issues) guidelines to understand what happens once a vulnerability is reported. |
| @@ -0,0 +1,99 @@ | |||
| --- | |||
| title: Managing Security Issues | |||
| summary: This document highlights how Silverstripe CMS team handles security issue. | |||
There was a problem hiding this comment.
| summary: This document highlights how Silverstripe CMS team handles security issue. | |
| summary: This document highlights how the Silverstripe CMS team handles security issue. |
Is "Silverstripe CMS team" the best way to refer to us? I don't think that term is ever used anywhere else.
|
|
||
| # Managing Security Issues | ||
|
|
||
| This document aims to provide a high level overview of how the Silverstripe CMS team handles security issues. Only members of the Silverstripe CMS security team can perform the actions outline in this document. |
There was a problem hiding this comment.
| This document aims to provide a high level overview of how the Silverstripe CMS team handles security issues. Only members of the Silverstripe CMS security team can perform the actions outline in this document. | |
| This document aims to provide a high level overview of how the Silverstripe CMS team handles security issues. Only members of the Silverstripe CMS security team can perform the actions outlined in this document. |
|
|
||
| This process is relevant when a potential vulnerability is reported confidentially and the Silverstripe CMS development team is in a position to prepare a patch prior to the public disclosure of the vulnerability. | ||
|
|
||
| This process is usually started once someone [reports a security issue](Issues-and-Bugs/##security-issue). |
There was a problem hiding this comment.
Only one hash - and I think we should revert to the auto-generated anchor
There was a problem hiding this comment.
Also I'm not sure if capital letters will work here? The actual URL is all lower case.
|
|
||
| ### When receiving a report | ||
|
|
||
| * An automated response is sent back to the reporter to acknowledge receipt of their vulnerability report. |
There was a problem hiding this comment.
Why are these indented? Will this render correctly?
There was a problem hiding this comment.
Also what automated response?
|
|
||
| * An automated response is sent back to the reporter to acknowledge receipt of their vulnerability report. | ||
| * Perform an initial assessment of the report. | ||
| * [Create a issue in our private security repository](https://github.com/silverstripe-security/security-issues/issues/new) unless to report is obviously invalid. e.g. SPAM |
There was a problem hiding this comment.
| * [Create a issue in our private security repository](https://github.com/silverstripe-security/security-issues/issues/new) unless to report is obviously invalid. e.g. SPAM | |
| * [Create an issue in our private security repository](https://github.com/silverstripe-security/security-issues/issues/new) unless to report is obviously invalid. e.g. SPAM |
| * If encrypted information is provided, attach it to the private security issue. | ||
| * Reply to [security@silverstripe.org](mailto:security@silverstripe.org) only with a link to the private security issue. Keep most of the discussion on GitHub. | ||
| * Perform initial criticality assessment. Validate assessment with another member of the security team before replying to the reporter with your conclusion. Ensure the reporter is given a justification for all issues we classify or demote as non-security vulnerabilities. You may need to seek additional information from the reporter before completing the criticality assessment. | ||
| * Add a new issue in the "Backlog" on the [project board](https://github.com/silverstripe-security/security-issues/projects/1). |
There was a problem hiding this comment.
Sounds like we create a second issue for the same report - probably would be "move the issue to the backlog" instead?
| ### Perform release | ||
|
|
||
| * Public disclosure of security vulnerabilities need to happen in stable releases (not pre-releases) | ||
| * Merge back from [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repos shortly at the release (minimise early disclosure through source code) |
There was a problem hiding this comment.
Not sure what "merge back" and "shortly at the release" mean...?
Is this cherry-picking the commit shortly before the release?
| * [Core committers](core_committers) | ||
|
|
||
| If at any time a release runs into an unsolveable problem contact the | ||
| core committers on the [discussion group](https://groups.google.com/forum/#!forum/silverstripe-committers) |
There was a problem hiding this comment.
This should probably be updated, I don’t think it exists anymore?
|
It's still a WIP PR. But thanks for the early feedback. |
|
Probably should convert to draft :p |
|
Note: This should not be merged here. I have started the process of migrating docs to a new repository so this PR should be closed and a new one should be created there. |
maxime-rainville
deleted the
pulls/4/add-guidnace-on-managing-security-issue
branch
|
New PR can be found here silverstripe/developer-docs#9 |
Parent issue
https://github.com/silverstripeltd/product-issues/issues/533