wg-vulnerability-disclosures icon indicating copy to clipboard operation
wg-vulnerability-disclosures copied to clipboard

Published 20 hours ago verified publisher icon ossf

Project Idea - OpenSSF Inbound Vulnerability Reporting Policy

Open luigigubello opened this issue 2 years ago • 13 comments

Idea: Publish an org-level security policy for OpenSSF repositories, projects, services, and infrastructure.

Proposal

Note. This draft policy is trying to meet the following requirements:

  • Scalable for the entire organization: it should be a good enough policy for every new project, but every project can overwrite it if necessary
  • Not directly dependent on a "centralized" email address: even if OpenSSF should have a generic security email address to be reached by security researchers for every kind of security report, we can use GitHub to receive security reports for every project. This should help to have a segregation of duties (maintainers cannot read others’ reports) and every project can manage its own security reports autonomously.
  • Based on wg-vulnerability-disclosures template: https://github.com/ossf/oss-vulnerability-guide/blob/main/templates/security_policies/email_intake.md
  • Not in conflict with other policies (e.g. Alpha/Omega policy to disclose vulnerabilities)
  • Concise, short: no reason to have a long document, researchers want to just report the vulnerability.

luigigubello avatar Mar 25 '23 15:03 luigigubello

+1 I agree with the idea of publishing an org-level security policy for OpenSSF repositories, projects, services, and infrastructure.

ran-dall avatar Mar 25 '23 16:03 ran-dall

An org-level security policy should indeed go in the org's .github repo in a SECURITY.md file.

ljharb avatar Mar 25 '23 20:03 ljharb

Please change the document title. This is NOT a general-purpose security policy, this is a vulnerability disclosure policy. The title of the document should reflect that, so that people understand what they're going to be reading.

david-a-wheeler avatar Apr 12 '23 17:04 david-a-wheeler

Proposal "Inbound Vulnerability Disclosure Policy" - that is, add "inbound" to distinguish from "outbound".

david-a-wheeler avatar Apr 12 '23 17:04 david-a-wheeler

For clarification: a proposed outbound vulnerability disclosure policy is here: https://github.com/ossf/wg-vulnerability-disclosures/issues/122

david-a-wheeler avatar Apr 12 '23 17:04 david-a-wheeler

Hi 👋 I think we have version 1.0 ready for the final review and approval, I share the doc in OpenSSF channels #wg-vulnerability-disclosures and #tac.

Important checks before publishing the policy:

  • Review and approve the In-Scope list
  • Double-check if the security contact [email protected] exists and give access to the right people (otherwise no one can read the emails, temp owner might be someone from @ossf/wg-vulnerability-disclosures)

Next steps for v1.1

  • Add a PGP key to the policy

luigigubello avatar Apr 14 '23 15:04 luigigubello

We have temporarily removed the Safe Habor section because the Linux Foundation Counsel advised that the text as written has serious problems. Before releasing anything by making legal claims, we need a review and formal approval by Linux Foundation Counsel. In the meantime, we have edited the doc as they recommended. cc @david-a-wheeler (thank you 🙌 )

luigigubello avatar Apr 17 '23 17:04 luigigubello

@luigigubello - yes, security @ openssf.org exists. It's currently an alias to operations @ openssf.org, who can then redirect to the specific project.

david-a-wheeler avatar Apr 18 '23 15:04 david-a-wheeler

We have temporarily removed the Safe Habor section because the Linux Foundation Counsel advised that the text as written has serious problems.

We need to find a solution to keep this language in the document somehow.

Here are some example safe harbor policies we can pull from. If we come up with one that's international, we should work with the LF legal team to contribute it back here as well:

  • https://github.com/disclose/policymaker/tree/main/static/templates
  • One document: https://github.com/disclose/policymaker/blob/main/static/templates/disclose-io-safe-harbor/en-US.md

JLLeitschuh avatar Apr 18 '23 17:04 JLLeitschuh

Another example of Safer Harbor could be that of U.S. Department of Agriculture. It is quite generic to work for us - we need to adapt the text a bit - and it should be written in a (U.S.-oriented probably) legal language good for LF.

luigigubello avatar Apr 19 '23 07:04 luigigubello

Solid find and a good candidate!

JLLeitschuh avatar Apr 19 '23 12:04 JLLeitschuh

As per meeting May 1

Existing safe harbors in thread https://www.usda.gov/vulnerability-disclosure-policy https://github.com/disclose/policymaker/tree/main/static/templates https://github.com/disclose/policymaker/blob/main/static/templates/disclose-io-safe-harbor/en-US.md

Additional Safe Harbors https://docs.bugcrowd.com/researchers/reporting-managing-submissions/disclosure/disclose-io-and-safe-harbor/ [more we could look at those using bug crowd and their safe harbors] https://hackerone.com/security/safe_harbor?type=team https://www.microsoft.com/en-us/msrc/bounty-safe-harbor https://proton.me/security/safe-harbor https://docs.tosdr.org/sp/Security-Vulnerability-Safe-Harbor.125926922.html

And here are the common elements i see

  1. setting the purpose (we want people to disclose without legal consequence because of good faith attempts)
  2. terms/definitions
  3. scope/limits of what is covered (boundaries)
  4. promise not to go after legal action

not in all but in many

  1. third party provisions
  2. What they dont' want researchers to do (spamming content etc)
  3. how to handle pii (report immidiatly, stop do not continue, delete all data)

Also disclose.io inccludes safe harbor in their VDP suggestions... any reason not to collab and suggest using theirs? https://disclose.io/docs/recipients/

NicoleSchwartz avatar May 08 '23 06:05 NicoleSchwartz

@david-a-wheeler is there a current status or additional things to action on this?

NicoleSchwartz avatar Nov 15 '23 16:11 NicoleSchwartz