This repository has been archived by the owner on Jul 11, 2023. It is now read-only.
Add security markdown #4121
Closed
Add security markdown #4121
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chore(pkg/envoy): log pod metadata always Signed-off-by: Phill Gibson <phillipgibson-github@outlook.com>
Signed-off-by: Phill Gibson <phillipgibson-github@outlook.com>
shashankram
reviewed
Sep 15, 2021
michelleN
suggested changes
Sep 16, 2021
There was a problem hiding this comment.
Thank you @phillipgibson.
- Since this doc is taken from the Helm project, could we add a line giving the Helm project attribution at the bottom of this doc?
- We don't at this time have a dedicated security team that is a subset of the maintainers so we may want to make sure there is one
- We don't at this time have guidance for the team on how to get CVE IDs. Do you know where we could get training for this from CNCF potentially? Is there a doc?
|
|
||
| ### When Not To Send A Report | ||
|
|
||
| * If a vulnerability has been found in an application managed by OSM. Instead, contact the application maintainers |
There was a problem hiding this comment.
I'm not sure "an application managed by OSM" is clear to me. Do we mean an application managed by an OSM control plane?
There was a problem hiding this comment.
Suggested change
| * If a vulnerability has been found in an application managed by OSM. Instead, contact the application maintainers | |
| * If a vulnerability has been found in a user application binary that does not belong to OSM, contact the application maintainers instead. |
|
Some questions that I have:
|
shashankram
suggested changes
Sep 22, 2021
| @@ -0,0 +1,76 @@ | |||
| # OSM Security Process and Policy | |||
|
|
|||
| This document provides the details on the OSM security policy and details the processes | |||
There was a problem hiding this comment.
Suggested change
| This document provides the details on the OSM security policy and details the processes | |
| This document provides the details on the OSM security policy and processes |
Comment on lines
+18
to
+22
| Name | Key URL | Fingerprint | ||
| ------------------ | ---------------------------------------------------- | ----------- | ||
| TBD | TBD | TBD | ||
| TBD | TBD | TBD | ||
| TBD | TBD | TBD |
|
|
||
| ### When Not To Send A Report | ||
|
|
||
| * If a vulnerability has been found in an application managed by OSM. Instead, contact the application maintainers |
There was a problem hiding this comment.
Suggested change
| * If a vulnerability has been found in an application managed by OSM. Instead, contact the application maintainers | |
| * If a vulnerability has been found in a user application binary that does not belong to OSM, contact the application maintainers instead. |
|
|
||
| ### Public Disclosure | ||
|
|
||
| A public disclosure of security vulnerabilities is released alongside release updates or details that fix the vulnerability. We try to fully disclose vulnerabilities once a mitigation strategy is available. Our goal is to perform a release and public disclosure quickly and in a timetable that works well for users. For example, a release may be ready on a Friday but for the sake of users may be delayed to a Monday. |
There was a problem hiding this comment.
I didn't get the last part on why a security release could be delayed for users. Could you clarify how delaying a security patch helps?
|
|
||
| New members are required to be active maintainers of OSM projects who are willing to perform the responsibilities outlined above. The security team is a subset of the maintainers. Members can step down at any time and may join at any time. | ||
|
|
||
| From time to time, OSM projects are deprecated. If at any time a security team member is found to be no longer be an active maintainer on active OSM projects, this individual will be removed from the security team. |
There was a problem hiding this comment.
What does OSM projects refer to here? We should clarify this because to be the security doc refers to the OSM project, so I am unsure why one would deprecate one or more OSM projects.
Suggested change
| From time to time, OSM projects are deprecated. If at any time a security team member is found to be no longer be an active maintainer on active OSM projects, this individual will be removed from the security team. | |
| From time to time, OSM projects may be deprecated. If at any time a security team member is found to be no longer be an active maintainer on active OSM projects, this individual will be removed from the security team. |
|
|
||
| ## Patch and Release Team | ||
|
|
||
| When a vulnerability comes in and is acknowledged, a team - including maintainers of the OSM project affected - will assembled to patch the vulnerability, release an update, and publish the vulnerability disclosure. This may expand beyond the security team as needed but will stay within the pool of OSM project maintainers. |
There was a problem hiding this comment.
Suggested change
| When a vulnerability comes in and is acknowledged, a team - including maintainers of the OSM project affected - will assembled to patch the vulnerability, release an update, and publish the vulnerability disclosure. This may expand beyond the security team as needed but will stay within the pool of OSM project maintainers. | |
| When a vulnerability comes in and is acknowledged, a team - including maintainers of the OSM project affected - will assemble to patch the vulnerability, release an update, and publish the vulnerability disclosure. This may expand beyond the security team as needed but will stay within the pool of OSM project maintainers. |
|
PR closed due to inactivity. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description: Add security markdown
Testing done: NA
Affected area:
Please answer the following questions with yes/no.
Does this change contain code from or inspired by another project? N/A
Is this a breaking change? No