Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Coordinated vulnerability reporting is undefined, and should we use CVD instead? #64

Open
david-a-wheeler opened this issue Nov 8, 2024 · 2 comments

Comments

@david-a-wheeler
Copy link
Contributor

Current text:

  - id: OSPS-45
    maturity_level: 2
    category: Documentation
    criteria: |
      The project documentation MUST include a
      policy for coordinated vulnerability
      reporting, with a clear timeframe for
      response.
      Establish a process for reporting and
      addressing vulnerabilities in the project,
      ensuring that security issues are handled
      promptly and transparently.
    implementation: |
      Create a SECURITY.md file at the root of the
      directory, outlining the project's policy
      for coordinated vulnerability reporting.
      Include a method for reporting
      vulnerabilities. Set expectations for the
      how the project will respond and address
      reported issues.

However, there's no clear definition "coordinated vulnerability reporting".
Also, we're focused on projects, which are generally receiving reports,
they are not doing the reporting. I think we should use the term
"coordinated vulnerability disclosure" (CVD) instead, and cite
an authoritative definition with a link for more info.

The point is that the project will want reporters to privately give
them vulnerability reports & time to fix, with coordination between the parties.

Also: Should we recommend that the time limit be no more than 90 days?
If projects give themselves a year or 2, attackers will sometimes also
find it and exploit it while the project fails to take action.

Quick aside: the best practices badge does not mandate this because
there were projects that wanted full disclosure, that is, they didn't want
to try to keep things secret. I don't think full disclosure is a good idea
unless a project has already shown faithlessness in fixing vulnerabilities.
I am sympathetic that, years ago, getting private reports was hard
(GitHub didn't support it & encrypted email was too hard for most mortals).
Things have changed for the better, so perhaps it's time to require this.
I think it's worth proposing as a requirement.

@SecurityCRob
Copy link
Contributor

I can try and find a canonical definition of CVD for us to cite. The projects should have a DISCLOSURE policy (typically documented in the security.md or like file). If they choose to use Full Disclosure, that's fine (we're not on the project, we don't get a vote there), but we should recommend CVD as the suggested norm.

@SecurityCRob
Copy link
Contributor

https://www.first.org/global/sigs/vulnerability-coordination/multiparty/
https://certcc.github.io/CERT-Guide-to-CVD/
"Coordinated Vulnerability Disclosure (CVD) is the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders including the public. "

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants