Hi John, It looks nice. Two comments:
1. Regarding risk rating, it seems to me that CVSS (http://www.first.org/cvss) has wider adoption than the "OWASP risk rating methodology". Every security vulnerability in the National Vulnerability Database (http://nvd.nist.gov/) has a CVSS score. 2. It should be "Security team works with MITRE to reserve a CVE identifier". MITRE is the organization that manages CVE. Thanks. -Clement -----Original Message----- From: John Kinsella [mailto:j...@stratosec.co] Sent: Thursday, June 21, 2012 7:26 PM To: cloudstack-dev@incubator.apache.org Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh Subject: Re: Query regarding where to store encryption keys OK - draft up at http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+procedure I think out of the 3 below, I like the OS and Eucalyptus pages the most, as the stress that security is important and will contact will be responded to quickly. Give feedback on the draft above - then let's talk next steps...I'd say we need a security list, a php key behind it, a security notification page somewhere on the CS site, and I wouldn't' mind seeing a twitter feed specifically for security announcements, as well... John On Jun 20, 2012, at 1:21 PM, Clement Chen wrote: > We should set up a dedicated channel for security issues and handle security > bugs carefully. > > Below are some of the examples: > > Apache HTTP Server Project: > http://httpd.apache.org/security_report.html > OpenStack: http://openstack.org/projects/openstack-security/ > Eucalyptus: > http://www.eucalyptus.com/eucalyptus-cloud/security/procedures > > -Clement > > -----Original Message----- > From: David Nalley [mailto:da...@gnsa.us] > Sent: Wednesday, June 20, 2012 12:59 PM > To: cloudstack-dev@incubator.apache.org > Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh > Subject: Re: Query regarding where to store encryption keys > > On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <ewan.mel...@eu.citrix.com> > wrote: >>> -----Original Message----- >>> From: David Nalley [mailto:da...@gnsa.us] >>> Sent: Wednesday, June 20, 2012 12:32 PM >>> To: cloudstack-dev@incubator.apache.org >>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >>> Subject: Re: Query regarding where to store encryption keys >>> >>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati >>> <vijayendra.bhamidip...@citrix.com> wrote: >>>> Hi Team, >>>> >>>> This is with reference to bug CS-15151 >>> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions >>> and it would be great if you could share your knowledge and suggestions. >>>> >>> >>> >>> Why is that bug not publicly visible? >> >> Probably because it's highlighting a potential security hole. That seems >> like a reasonable precaution for the reporter to have taken. >> >> Would you like to handle these some other way? >> >> Ewan. >> > > That's a perfectly valid reason to keep it private, - though now the content > of the bug has been publicly discussed, so one wonders at the continued > utility of it being private. > > Perhaps it's a good time to segue to discussing how we wish to handle > security bugs, and get that documented. > > --David
