[ovs-dev] [PATCH RFC] SECURITY: New document describing proposed security process for OVS.
Ben Pfaff
blp at nicira.com
Tue Jan 6 18:05:58 UTC 2015
On Mon, Jan 05, 2015 at 02:30:10PM -0200, Flavio Leitner wrote:
> On Friday, January 02, 2015 05:57:14 PM Ben Pfaff wrote:
> > On Fri, Jan 02, 2015 at 01:44:49PM -0800, Ben Pfaff wrote:
> > > Open vSwitch needs some kind of process for handling vulnerabilities. So
> > > far, we've been pretty lucky that way, but it can't last forever, and I
> > > think we'll be better off if we have at least the outline of an established
> > > process whenever a significant vulnerability comes along. Here's my draft
> > > of a process based on the documentation of the OpenStack process at
> > > https://wiki.openstack.org/wiki/Vulnerability_Management.
> > >
> > > I don't have a lot of experience with this kind of thing myself, so I'd
> > > appreciate critical review from anyone who does.
> > >
> > > Signed-off-by: Ben Pfaff <blp at nicira.com>
> >
> > I received the following suggestions in private email from a person who
> > said that I could pass them along to the list as long as I do not use
> > his name because he prefers "not to be associated with the security
> > field." Fair enough! Here they are:
> >
> > 1) Consider provisions for ensuring privacy and integrity of
> > communications around disclosure (eg, use PGP for all comms).
>
> Yes, exactly what I meant in the other reply. I think it should be
> recommended but not required for the reporter when reporting
> the issue to the list. Further communications are required to
> ensure privacy and integrity.
I added at the top:
We encourage everyone involved in the security process to GPG-sign
their emails. We additionally encourage GPG-encrypting one-on-one
conversations as part of the security process.
and in step 5 (full disclosure):
The security advisory should be GPG-signed by a security team member
with a key that is in a public web of trust.
More information about the dev
mailing list