nix-security-tracker icon indicating copy to clipboard operation
nix-security-tracker copied to clipboard

Published 20 hours ago verified publisher icon Nix-Security-WG

Automatic notifications based on issue parameters

Open RaitoBezarius opened this issue 5 months ago • 0 comments

Every day, we should determine to whom we should hand out notifications automatically.

Here are the dimensions for a given issue:

  • last time a notification was sent to that maintainer
  • last time since the status changed ("age")
  • severity of the issue (RCE, LPE, etc. vs. RegexDoS)
  • attack vectors: can receive untrusted attack inputs from trusted network, untrusted network, internet, etc.
  • which channels are affected: stable, unstable, EOL channels
  • whether the maintainer has declared himself to be away or not

The heuristic should answer to:

  • "Should I send a notification today to remind of this current status?"

First implementation can be:

F = \alpha_1 \times \frac{1}{T_{\text{last\_notified}}} + \alpha_2 \times \frac{1}{T_{\text{age}}} + \alpha_3 \times S_{\text{severity}} + \alpha_4 \times V_{\text{attack\_vector}} + \alpha_5 \times C_{\text{channel\_affected}} - \beta \times M_{\text{away}}

Let $T_{\text{last notified}}$ represent the number of days since the last notification was sent to the maintainer. $T_{\text{age}}$ represents the number of days since the status of the issue last changed. $S_{\text{severity}}$ refers to the severity score of the issue, where higher values represent more critical issues (e.g., RCE = 10, RegexDoS = 3). $V_{\text{attack vector}}$ is the score of the attack vector, with higher values for more dangerous attack surfaces (e.g., Internet = 10, Trusted Network = 3). $C_{\text{channel affected}}$ represents the score of the affected channel, where stable and EOL channels have higher scores than unstable ones (e.g., Stable = 10, Unstable = 5). $M_{\text{away}}$ is a binary variable representing whether the maintainer has declared themselves to be away, where $M_{\text{away}} = 1$ means they are unavailable, and $M_{\text{away}} = 0$ means they are available. Finally, $\alpha_1, \alpha_2, \alpha_3, \alpha_4, \alpha_5$ are weights assigned to the respective factors, and $\beta$ is a penalty factor for the maintainer's unavailability. The threshold $W$ is a predefined value above which a notification will be sent.

Depends on:

  • #174

RaitoBezarius avatar Sep 20 '24 10:09 RaitoBezarius