Internal security process docs #6960
Conversation
| * Add fixes on the [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repo | ||
| * Get them peer reviewed by posting on security@silverstripe.org with a link to github | ||
| * Before release (or release candidate) | ||
| * Merge back from [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repos shortly before the release (minimise early disclosure through source code) |
There was a problem hiding this comment.
At the moment the release and the pushing to the open source branch(es)/tag(s) happen at once. They are tagged and pushed to the open source repos as part of the release process.
There was a problem hiding this comment.
Yes, this is more a "at release" rather than "before release".
There was a problem hiding this comment.
Sweet, changed "shortly before the release" to "at release"
| * Assign a unique identifier (see "Acknowledgement and disclosure") | ||
| * Respond to issue reporter with this identifier on the same discussion thread (cc security@silverstripe.org). Clarify issue if required. | ||
| * If encrypted information is provided, add pass phrases into the SilverStripe Ltd. LastPass account. Keep encrypted documents in Google Drive and only share directly with relevant participants | ||
| * Create a draft page under [Open Source > Download > Security Releases](https://www.silverstripe.org/admin/pages/edit/show/794) on silverstripe.org. Describe the issue in a readable way, make the impact clear. Credit the author if applicable. |
There was a problem hiding this comment.
I'm semi-confident about adding links to our internal CMS pages on a public repo. I'd rather have a redirector page with a canview = admin and a public human urlsegment. (redirectorpage can point to CMS sections).
There was a problem hiding this comment.
This isn't exposing anything that you couldn't guess within five seconds without thism ention, so it sounds like you're overthinking this :) If for some reason we change the ID, we'll update the link.
| * Clarify who picks up owns the issue resolution | ||
| * When developing a fix: | ||
| * Add fixes on the [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repo | ||
| * Get them peer reviewed by posting on security@silverstripe.org with a link to github |
There was a problem hiding this comment.
We need to add these links to the internal jira; Keep the jira as the central point of management for these issues rather than the mailing list (which you can post to too, but we should be able to see all progress made on the jira ticket).
There was a problem hiding this comment.
Good point, I've changed to "with a link to the JIRA issue"
| * Before release (or release candidate) | ||
| * Merge back from [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repos shortly before the release (minimise early disclosure through source code) | ||
| * Send out a note on the pre-announce list with a highlevel description of the issue and impact (usually a copy of the yet unpublished security release page on silverstripe.org) | ||
| * Link to silverstripe.org security release page in the changelog. |
There was a problem hiding this comment.
This is done automatically by cow and doesn't need to be a release task.
There was a problem hiding this comment.
How does that work? I want to specifically highlight any security issues at the top of the changelog, and deep link them into the relevant silverstripe.org page. I can't see how cow would pick that up?
| * Add a new bug on our [Open Source Security JIRA board](https://silverstripe.atlassian.net/secure/RapidBoard.jspa?rapidView=198&view=detail). Add a link to the [Google Groups](https://groups.google.com/a/silverstripe.com/forum/#!forum/security) discussion thread so it's easy to review follow up messages. | ||
| * Clarify who picks up owns the issue resolution | ||
| * When developing a fix: | ||
| * Add fixes on the [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repo |
There was a problem hiding this comment.
Add
* Ensure that all security commit messages are prefixed with the CVE. E.g. "[ss-2015-001] Fixed invalid XSS"
We use a regexp to trace these security issues. :)
| Follow these instructions in sequence as much as possible: | ||
|
|
||
| * When receiving a report: | ||
| * Perform initial criticality assessment |
There was a problem hiding this comment.
, and ensure that the reporter is given a justification for all issues we classify or demote as non-security vulnerabilities.
|
|
||
| * When receiving a report: | ||
| * Perform initial criticality assessment | ||
| * Assign a unique identifier (see "Acknowledgement and disclosure") |
There was a problem hiding this comment.
E.g. SS-2017-001, based on reported year and order reported.
There was a problem hiding this comment.
Reworded to be a bit clearer (JIRA is the unique source for those), and added
| * Respond to issue reporter with this identifier on the same discussion thread (cc security@silverstripe.org). Clarify issue if required. | ||
| * If encrypted information is provided, add pass phrases into the SilverStripe Ltd. LastPass account. Keep encrypted documents in Google Drive and only share directly with relevant participants | ||
| * Create a draft page under [Open Source > Download > Security Releases](https://www.silverstripe.org/admin/pages/edit/show/794) on silverstripe.org. Describe the issue in a readable way, make the impact clear. Credit the author if applicable. | ||
| * Add a new bug on our [Open Source Security JIRA board](https://silverstripe.atlassian.net/secure/RapidBoard.jspa?rapidView=198&view=detail). Add a link to the [Google Groups](https://groups.google.com/a/silverstripe.com/forum/#!forum/security) discussion thread so it's easy to review follow up messages. |
There was a problem hiding this comment.
I might add this higher; All of the above information (e.g. lastpass links, google docs) need to be added to the ticket.
chillu
force-pushed
the
pulls/4.0/security-process-docs
branch
from
c89d0a9
to
b137e91
Compare
|
OK, I've updated this will all the feedback - ready to merge? |
No description provided.