Introduce Hyperledger Foundation's security policy #143
Conversation
arsulegai
requested review from
TimoGlastra,
VRamakrishna,
bobbi28,
denyeart,
jimthematrix,
lehors,
mbrandenburger,
petermetz,
swcurran and
tkuhrt
as code owners
governing-documents/security.md
Outdated
| (we note that some projects may have different repositories with different | ||
| security policies). Please edit this as appropriate for your project and | ||
| delete this top section. For most projects, this will only involve minor | ||
| edits (look for text in red below). For projects that have security experts, |
There was a problem hiding this comment.
There is no red text in this document. Do we need to add formatting to allow for the red text to show? Or is there another way to represent this text in markdown?
There was a problem hiding this comment.
Thanks for catching that. I made the texts highlighted. Possible options in markdown are either to highlight text, bold text or italicize text. I am choosing to highlight these sections, please suggest.
There was a problem hiding this comment.
It looks like colored text is complicated in markdown, unfortunately.
There was a problem hiding this comment.
Agree. In other templates, I use tags.
governing-documents/security.md
Outdated
| vulnerability, then the reporter should be informed and this process can be | ||
| halted. If the report is still a regular bug (just not a security | ||
| vulnerability), the reporter should be informed (if necessary) of the regular | ||
| process for reporting bugs, available <where your project has regular bug reports>. |
There was a problem hiding this comment.
| process for reporting bugs, available <where your project has regular bug reports>. | |
| process for reporting bugs, available \<where your project has regular bug reports\>. |
Not sure if this is the correct formatting. The portion in the brackets do not show up in the markdown.
There was a problem hiding this comment.
I will make them highlighted.
governing-documents/security.md
Outdated
| channels. Github security vulnerability reporting (see below for more github | ||
| information): https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability. |
There was a problem hiding this comment.
Should the see below for more github information be a link to another section in this document? Or is it referring to this link given here?
There was a problem hiding this comment.
I think it's referring to more stuff below in the document, so yes, it should probably be a link.
There was a problem hiding this comment.
This part should have been pointers suggesting the possible options to report a security issue. The first one is the security mailing list, the other option is to use github's security reporting framework (the link following the text has more information on that). This section is acting as a template for project maintainers to define what they follow in their case.
governing-documents/security.md
Outdated
|
|
||
| It is recommended but not required that projects use Github as a CNA since the | ||
| reporting process here can be streamlined with the entire Github security | ||
| advisory process (see below). It is also considered reasonable to have bug |
There was a problem hiding this comment.
Can we provide a link to where we are referring when we say see below?
governing-documents/security.md
Outdated
| To report a security issue, please send an email with the name of the project, | ||
| a description of the issue, the steps you took to create the issue, affected | ||
| versions, and if known, mitigations for the issue. Note that this is a | ||
| mandatory response channel. We encourage reporters to default to this channel | ||
| for reporting vulnerabilities if there is no compelling reason to use other | ||
| channels. Github security vulnerability reporting (see below for more github | ||
| information): https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability. |
There was a problem hiding this comment.
OpenSSF advise at https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md:
"If your project is on GitHub, we recommend enabling privately reporting a security vulnerability"
It appears that most if not all Hyperledger projects have private reporting enabled.
With private reporting enabled, any public user can report a security vulnerability directly to the project:
https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
I therefore think we need some more clarification in this section. Should users "Report a security vulnerability" via GitHub, or should they use the email? Which method is preferred and why?
I think the deciding factor will be who we want to see the initial reports. Do we want it to be the specific project maintainers? Or do we want it to be a cross-project Hyperledger security team? If the former we should guide towards the GitHub security advisory reporting. If the latter we should guide towards the email. Regardless of the decision here, we should make this document clear about the preferred method. (Note, I am open to either approach).
There was a problem hiding this comment.
I think we need to let the individual projects decide. Either one would be fine as long as it is clearly specified. Is there a reason why it should be one or the other?
Besu, for instance, has a very complicated security intake system (because they get bugs reported through a bunch of Ethereum channels).
There was a problem hiding this comment.
I should also note: the OpenSSF vulnerability disclosure WG did review this document and didn't have a problem with this part of the text.
There was a problem hiding this comment.
My preference (at least for Fabric) would be to use GitHub vulnerability reporting.
- Keep everything in one place.
- Leverage the existing and well-known GitHub process flow from report through private fork through publish.
- No need to email representatives of every project for an issue with a single project.
A valid reason to use the security email would be so that Hyperledger staff can easily monitor incoming issues and help route/escalate. I thought @hartm might prefer the email for this reason.
All this being said, I'm still fine letting each project decide. I would simply ask that we make the option more clear in this section.
|
Comments from the TOC meeting on 3rd August 2023:
|
The security policy that exists currently do not clearly differentiate the actions that a project team must take when a vulnerability is reported. It merely tells the process for reporting a vulnerability, having a foundation wide common structure to address the security issues is key to a healthy community building. The document here is a proposal put together by the security process task force setup by the Hyperledger TOC. Signed-off-by: hartm <[email protected]> Signed-off-by: S m, Aruna <[email protected]>
Co-authored-by: Tracy Kuhrt <[email protected]> Signed-off-by: Arun S M <[email protected]>
Signed-off-by: S m, Aruna <[email protected]>
Beautify using markdown format and structure. Signed-off-by: S m, Aruna <[email protected]>
Signed-off-by: S m, Aruna <[email protected]>
Signed-off-by: S m, Aruna <[email protected]>
arsulegai
force-pushed
the
security-gov
branch
from
4cb2434
to
1526401
Compare
|
Overall, I like the document. However, I find the mix of project guidance and the document being a template for a SECURITY.MD file project difficult. As a maintainer, I think starting the project/repository specific document from this document will be hard to maintain. I recommend either a second document that is the template for a project, or putting the template at the bottom of the document, clearly delineated from the policy text. The advantage of a separate document is that as the template evolves, it is relatively easy to compare a projects current policy from the Hyperledger Foundation’s recommend template. I think the template itself should be relatively short, have a pointer to the Hyperledger Foundation policy, and (as is used here) the highlighting to indicate where a project must make choices in their application of the secrity policy options. |
| `If the project does not use GitHub security advisories, explain how security | ||
| issues are publicly disclosed.` | ||
|
|
||
| ## Private Patch Deployment Infrastructure |
There was a problem hiding this comment.
Maintaining a private repo for the long term seems like a lot of overhead. Would it be better to document how to create a private repo for when it is needed? Not sure exactly how to do that, but I’m thinking this could be generic guidance, that a project could dry run and customize for their repo if deemed important to have ready ahead of time. E.g. create private fork of repo, change X, Y, Z in the pipeline to produce private artifacts.
There was a problem hiding this comment.
@swcurran this is done automagically by GitHub on a per-patch basis.
Signed-off-by: S m, Aruna <[email protected]>
|
@arsulegai I can make the edits I proposed above, but I think you first need to update the PR to "Allow edits from maintainers". |
Done @denyeart. I keep it disabled by default because it also shares the access to secrets. |
|
Per the discussion last week, I've created a draft PR in the Aries ACA-Py repository that I think is an appropriate basis for a "template" project To turn this into a template, I would:
For the policy document, I suggest changing the tone (where necessary) to be a policy document not a template, and having for each section of the template a discussion of the alternatives available for projects not wanting to follow the default. |
Thanks @swcurran , I agree your Aries SECURITY.md with some of the background discussion paragraphs removed is a more clear starting point for project visitors and a good basis for the SECURITY.md template. And I agree that the additional background discussion paragraphs should be included in a separate document that is linked from the SECURITY.md template. This will make the SECURITY.md more streamlined for project visitors, and easier for project maintainers to create based on the template with a simple copy/paste. The more streamlined SECURITY.md also resolves my prior comments about making the use of Github vulnerability reporting clear. Specifically your version of the SECURITY.md template makes it clear that there are two equal options for reporting vulnerabilities - the security email and the use of Github vulnerability reporting. |
|
Reworked in #167 |
There was a problem hiding this comment.
@arsulegai - we should get the changes here into a separate PR.
No description provided.