[ovs-dev] [PATCH RFC] SECURITY: New document describing proposed security process for OVS.

Jiri Benc jbenc at redhat.com
Mon Jan 5 15:04:09 UTC 2015


On Fri,  2 Jan 2015 13:44:49 -0800, Ben Pfaff wrote:
> Open vSwitch needs some kind of process for handling vulnerabilities.  So
> far, we've been pretty lucky that way, but it can't last forever, and I
> think we'll be better off if we have at least the outline of an established
> process whenever a significant vulnerability comes along.  Here's my draft
> of a process based on the documentation of the OpenStack process at
> https://wiki.openstack.org/wiki/Vulnerability_Management.

This looks great. Minor notes below.

> +Step 4: Embargoed Disclosure
> +----------------------------
> +
> +The security advisory and patches are sent to downstream stakeholders,
> +with an embargo date and time set to 3 to 5 business days from the
> +time sent.  Downstream stakeholders are expected not to deploy or
> +disclose patches until the embargo is passed.

I suggest to create a closed unarchived mailing list for this, so no
stakeholder is forgotten if/when the person sending the advisory
changes.

> +
> +Operating system vendors are obvious downstream stakeholders.  It may
> +not be necessary to be too choosy about who to include: any major Open
> +vSwitch user who is interested and can be considered trustworthy
> +enough could be included.  To become a downstream stakeholder, email
> +the ovs-security mailing list.
> +
> +If the vulnerability is public, skip this step.
> +
> +
> +Step 5: Full Disclosure
> +-----------------------
> +
> +When the embargo expires, push the (reviewed) patches to appropriate
> +branches, post the patches to the ovs-dev mailing list (noting that
> +they have already been reviewed and applied), post the security
> +advisory to appropriate mailing lists (ovs-announce, ovs-users), and
> +post the security advisory on the Open vSwitch webpage.

...and perhaps also to the mailing list mentioned above?

Thanks!

 Jiri

-- 
Jiri Benc



More information about the dev mailing list