Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document Recommendations for Vulnerability Report Handling #1259

Closed
eddie-knight opened this issue May 23, 2024 · 13 comments
Closed

Document Recommendations for Vulnerability Report Handling #1259

eddie-knight opened this issue May 23, 2024 · 13 comments

Comments

@eddie-knight
Copy link
Collaborator

Problem

Several inquiries have recently been brought to us regarding how to respond to or address a vulnerability report to a CNCF project. The advice we provide is rarely unique to the situation, but someone from the TAG must spend cycles on the issue before being sure.

Solution

The community could be served by a general guidance document as the entrypoint for such inquiries. For example, a list of frequently asked questions or common situations could conclude with steps to reach the TAG if the situation is unique.

@mlieberman85
Copy link
Collaborator

I think also some projects aren't aware of what should be considered a vulnerability vs. what is misconfiguration or similar.

Stuff to put into that document is also highlighting the threat model as well. A common misconception is just because an application if compromised could leak data it's the same as if the application is in fact compromised.

@anvega
Copy link
Contributor

anvega commented May 25, 2024

Project teams should assess vulnerabilities themselves following standard practices similar to bug reports, which includes gathering enough information to verify and reproduce, and then triaging. If they find that the reported issue does not constitute a true vulnerability, or if they have doubts about its validity, they should discuss this with the reporter to clarify the situation.

Discussing or sharing the report outside of their group would not adhere to responsible disclosure practices. Private reports should only be shared with those who have a legitimate need to know, such as maintainers of other affected projects they integrate with or individuals with whom they have specific vulnerability sharing agreements (although such agreements are rare in OSS).

What we do look for and ask projects moving from sandbox to incubation is:

  • The project must provide a process for users to submit bug reports (e.g., using an issue tracker or a mailing list).
  • The project must publish the process for reporting vulnerabilities on the repo and project site.
  • The project must include how to send the information in a way that is kept private.
  • Respond to reports in a reasonable timeline (The project's initial response time for any vulnerability report received in the last 6 months must be less than or equal to 14 days.)
  • Offer credit (The project must give credit to the reporter(s) of all vulnerability reports resolved in the last 12 months, except for the reporter(s) who request anonymity.)
  • The project must have a documented process for responding to vulnerability reports.
  • Publish clear security advisories and changelogs.
    *Must explain mitigations when discussing vulnerabilities or security issues in any comms.

While the topic is important, it is already extensively covered in existing resources on vulnerability management as well as incident response. Might be hard to create an exhaustive authoritative document, particularly with the other suggested topics. I suggest instead compiling a list of these existing resources for project teams to reference.

@eddie-knight
Copy link
Collaborator Author

Thanks @anvega. I think the most important part you highlighted is that there are existing recommendations already captured throughout the TAG resources. It'll be helpful to reference those from a centralized recommendation of how to respond to a vuln report.

@mlieberman85
Copy link
Collaborator

@anvega Agreed. I think one thing that is missing maybe is just pointing people in the right direction as well as making sure CNCF staff understands this as well. In a few cases they've directed projects to reach out to us.

One particular thing I think we should do I think is point folks to resources on what sorts of things tend to count as a vulnerability. Looking through our existing resources I couldn't find anything but I also don't think we should create one ourselves as I'm sure there' something pre-existing stuff out there.

@anvega
Copy link
Contributor

anvega commented May 28, 2024

Sure. To address the need for clarity on what constitutes a vulnerability, project maintainers must understand better than anyone else under what conditions a bug, a particular configuration, or deployment parameters become a security risk. They should be able to perform a contextual risk evaluation to determine if what is being reported can render the software vulnerable to attack.

Something to keep in mind even in compiling recommendations is that while there are obvious vulnerabilities like broken auth, SQL injection, XSS, CSRF, etc., it's hard to give guidance that something counts as a vulnerability without context or intimate working knowledge, as conditions will be variable and project specific. We can call out risks to watch out for but the final determination is something only each project is in a position to do.

A methodical approach to this is to use a standard software security framework, such as the OWASP SAMM Project, BSSIM, or any other standard Software Security Maturity model. This involves identifying threat agents, attack vectors, security weaknesses, security controls, technical impacts, and business impacts of an identified bug in terms of security.

@anvega
Copy link
Contributor

anvega commented Jun 4, 2024

I found this topic to be fairly well covered by a resource within the family/in-house:

The guide that contains those sections is linked here:

@eddie-knight
Copy link
Collaborator Author

@mlieberman85 What do you think about linking to this one? It seems to address all of the original concerns.

https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#troubleshooting-common-challenges-to-coordinated-vulnerability-disclosure

@mlieberman85
Copy link
Collaborator

@mlieberman85 What do you think about linking to this one? It seems to address all of the original concerns.

https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#troubleshooting-common-challenges-to-coordinated-vulnerability-disclosure

I was just reading it. Looks good to me.

@eddie-knight
Copy link
Collaborator Author

Any ideas for where we should add the pointer?

@anvega
Copy link
Contributor

anvega commented Jun 5, 2024

A good place is the README for this repository, possibly under 'Additional Information,' if you add some language on ecosystem guidance or something along those lines, if for whatever reason this turned out to be the place people would come searching for this.

@eddie-knight
Copy link
Collaborator Author

Let's address this during #1260 — We're planning to migrate a page from contribute.cncf.io specifically dedicated to advice for project maintainers. This would be a great addition to that page.

@anvega
Copy link
Contributor

anvega commented Jun 12, 2024

Actually, this is already covered under project-resources/templates/incident-response.md

@mnm678
Copy link
Collaborator

mnm678 commented Aug 19, 2024

The remaining work here is tracked in #1260, which can link to the guidance discussed here.

@mnm678 mnm678 closed this as completed Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants