Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating Export Control Guidance #290

Open
caniszczyk opened this issue Jan 26, 2022 · 4 comments
Open

Updating Export Control Guidance #290

caniszczyk opened this issue Jan 26, 2022 · 4 comments

Comments

@caniszczyk
Copy link
Contributor

The Kubernetes SC has requested that the LF look at updating our guidance on export control in relation to the kubernetes security disclosure process and security disclosure in particular:

https://www.linuxfoundation.org/tools/understanding-us-export-controls-with-open-source-projects/

The goal output here would be an update to the above document based on any input through the exercise.

@dims
Copy link
Member

dims commented Jan 26, 2022

We request the LF Legal team to vet the current SRC process [1] and update the LF/CNCF guidance, specifically, we want to know if the process SRC documented has any implications for folks in companies that are in the Export Administration Regulations Entity List. Currently these folks may be:

Case 1: A reporter of security related issues using the security mailing list requests status on their reported issue. Project investigation has subsequently led to a ripple of additional security vulnerability content in additional project(s), which are not yet public and may never fully be public. Is replying with detailed status (eg: the other project, other CVE code files/lines, proof-of-concept exploit) an export of a controlled class of information to a controlled entity?

Case 2: A member of the private distributors list [2] who are under embargo, receives detailed pre-disclosure of a new CVE. With controlled entities on the private distributors list is the SRC exposed to claims of an export of a controlled class of information to a controlled entity? [3].

Case 3: A reporter is privately collaborating with SRC in private conversation around investigation, test code, proof-of-concept experimentation which is never subsequently publicly shared on the internet. Does this conversation represent SRC export of a controlled class of information to a controlled entity?

Thanks,
Kubernetes Steering

[1] https://github.com/kubernetes/committee-security-response/blob/main/security-release-process.md
[2] https://github.com/kubernetes/committee-security-response/blob/main/private-distributors-list.md
[3] https://www.linuxfoundation.org/blog/linux-foundation-statement-on-huawei-entity-list-ruling/

@dims
Copy link
Member

dims commented Mar 25, 2022

Any update on this @caniszczyk ?

@caniszczyk
Copy link
Contributor Author

caniszczyk commented Mar 25, 2022 via email

@dims
Copy link
Member

dims commented Apr 14, 2022

UPDATE: @mkdolan has had an initial discussion with some folks from the Kubernetes Security Response Team today and walked through processes that has been documented by SRC. Next step is to set up a call with Mishi Choudhary hopefully the week of April 25th.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants