model-registry icon indicating copy to clipboard operation
model-registry copied to clipboard
verified publisher icon kubeflow

OpenSSF "Reporting" section

Open tarilabs opened this issue 10 months ago • 2 comments

we need to document the following sections, with the minimal amount of effort required to meet the ask

Bug-reporting process

  • [x] The project MUST provide a process for users to submit bug reports (e.g., using an issue tracker or a mailing list). (URL required) [report_process]
  • [x] The project SHOULD use an issue tracker for tracking individual issues. [report_tracker]
  • [x] The project MUST acknowledge a majority of bug reports submitted in the last 2-12 months (inclusive); the response need not include a fix. [report_responses]
  • [x] The project SHOULD respond to a majority (>50%) of enhancement requests in the last 2-12 months (inclusive). [enhancement_responses]
  • [x] The project MUST have a publicly available archive for reports and responses for later searching. (URL required) [report_archive]

Vulnerability report process

  • [ ] The project MUST publish the process for reporting vulnerabilities on the project site. (URL required) [vulnerability_report_process]
  • [ ] If private vulnerability reports are supported, the project MUST include how to send the information in a way that is kept private. (URL required) [vulnerability_report_private]
  • [ ] The project's initial response time for any vulnerability report received in the last 6 months MUST be less than or equal to 14 days. [vulnerability_report_response]

tarilabs avatar May 08 '25 13:05 tarilabs

The project MUST provide a process for users to submit bug reports (e.g., using an issue tracker or a mailing list). (URL required) [report_process]

As other Kubeflow project, Model Registry makes use of GitHub Issue tracker https://github.com/kubeflow/model-registry/issues/new/choose

The project SHOULD use an issue tracker for tracking individual issues. [report_tracker]

As other Kubeflow project, Model Registry makes use of GitHub Issue tracker https://github.com/kubeflow/model-registry/issues

The project MUST acknowledge a majority of bug reports submitted in the last 2-12 months (inclusive); the response need not include a fix. [report_responses]

Has always been the case for the project: https://github.com/kubeflow/model-registry/issues?q=is%3Aissue%20%20created%3A%3C2025-05-16%20label%3Abug

The project SHOULD respond to a majority (>50%) of enhancement requests in the last 2-12 months (inclusive). [enhancement_responses]

Has always been the case for the project: https://github.com/kubeflow/model-registry/issues?q=is%3Aissue%20%20created%3A%3C2025-05-16%20-label%3Abug

The project MUST have a publicly available archive for reports and responses for later searching. (URL required) [report_archive]

This requirement is covered as the capability is available from the GitHub Issue tracker: https://github.com/kubeflow/model-registry/issues?q=is%3Aissue%20state%3Aclosed both Resolved and Unplanned

tarilabs avatar May 16 '25 08:05 tarilabs

For the "Vulnerability report process" I've asked here: https://cloud-native.slack.com/archives/C08NY1D0NUQ/p1747468024019639

tarilabs avatar May 19 '25 08:05 tarilabs

The project MUST publish the process for reporting vulnerabilities on the project site. (URL required) [vulnerability_report_process]

We enabled "GitHub privately reporting a security vulnerability" as suggested by this item details: <https://github.com/kubeflow/model-registry/security/advisories/new>

If private vulnerability reports are supported, the project MUST include how to send the information in a way that is kept private. (URL required) [vulnerability_report_private]

As above: <https://github.com/kubeflow/model-registry/security/advisories/new>

The project's initial response time for any vulnerability report received in the last 6 months MUST be less than or equal to 14 days. [vulnerability_report_response]

See: <https://github.com/kubeflow/model-registry/security/advisories>

tarilabs avatar Jun 24 '25 13:06 tarilabs

all items have been answered; if you are reading this, consider re-opening this issue if you want to amend any of the provided answers with more details!

tarilabs avatar Jun 24 '25 14:06 tarilabs

Refactoring OpenSSF badge according to:

The project MUST publish the process for reporting vulnerabilities on the project site. (URL required) [vulnerability_report_process]

We enabled "GitHub privately reporting a security vulnerability" as suggested by this item details: <https://github.com/kubeflow/model-registry/security/advisories/new>. See <https://github.com/kubeflow/model-registry/blob/main/SECURITY.md>

If private vulnerability reports are supported, the project MUST include how to send the information in a way that is kept private. (URL required) [vulnerability_report_private]

See <https://github.com/kubeflow/model-registry/blob/main/SECURITY.md>

tarilabs avatar Jul 16 '25 15:07 tarilabs

updated OpenSSF badge to reflect @andreyvelich PR now merged as above.

tarilabs avatar Jul 16 '25 15:07 tarilabs