Thanks for bringing up this discussion Dian! How to report security bugs to our project is a very important topic!
Big +1 on adding some explicit instructions in our document about how to report security issues, and I suggest to open another thread to vote the reporting way in Flink. FWIW, known options to report security issues include: 1. Set up secur...@flink.apache.org and ask users to report security issues there 2. Ask users to send security report to secur...@apache.org 3. Ask users to send security report directly to priv...@flink.apache.org More details: Descriptions on http://apache.org/security/: *============================================* *We strongly encourage folks to report security vulnerabilities to one of our private security mailing lists first, before disclosing them in a public forum.* *A list of security contacts for Apache projects <http://apache.org/security/projects.html> is available. If you can't find a project specific security e-mail address and you have an undisclosed security vulnerability to report then please use the general security address below.* *The general security mailing list address is: secur...@apache.org <secur...@apache.org>. This is a private mailing list.* *============================================* There are also projects directly using private@ mailing list to report security issues such as HBase (as documented at the very beginning in its online ref-guide book here <http://hbase.apache.org/book.html#_preface>). Hope these information helps. Thanks. Best Regards, Yu On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <ches...@apache.org> wrote: > Source: https://www.apache.org/security/ > > Now, we can of course setup such a mailing list (as outlined here > https://www.apache.org/security/committers.html), but I'm not sure if it > is necessary since the number of reports is _really_ low. > > On 14/11/2019 11:03, Chesnay Schepler wrote: > > AFAIK, the official way to report vulnerabilities in any apache > > project is to write to secur...@apache.org and/or notify the > > respective PMC. So far, we had several reports that went this route, > > hence I'm not convinced that an additional ML is required. > > > > I would be fine with an additional paragraph somewhere outlining this > > though. > > > > On 14/11/2019 06:57, Jark Wu wrote: > >> Hi Dian, > >> > >> Good idea and +1 to setup security mailing list. > >> Security vulnerabilities should not be publicly disclosed (e.g. via > >> dev ML > >> or JIRA) until the project has responded. > >> However, AFAIK, Flink doesn't have an official process to > >> report vulnerabilities. > >> It would be nice to have one to protect Flink users and response > >> security > >> problems quickly. > >> > >> Btw, we may also need a dedicated page to describe the security > >> vulnerabilities report process and CVE list on the website. > >> > >> Best, > >> Jark > >> > >> > >> > >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <chenghe...@gmail.com> wrote: > >> > >>> Hi Dian, > >>> > >>> Good idea! +1 to have a security mailing list. > >>> It is nice for Flink to have an official procedure to handle security > >>> problems, e.g., reporting, addressing and publishing. > >>> > >>> Best, Hequn > >>> > >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <zjf...@gmail.com> wrote: > >>> > >>>> Thanks Dian Fu for this proposal. +1 for creating security mail > >>>> list. To > >>> be > >>>> noticed, security mail list is private mail list, could not be > >>>> subscribed > >>>> publicly. > >>>> FYI, apache member can create mail list using this self service tool > >>>> https://selfserve.apache.org/ > >>>> > >>>> > >>>> jincheng sun <sunjincheng...@gmail.com> 于2019年11月14日周四 > >>>> 下午12:25写道: > >>>> > >>>>> Hi Dian, > >>>>> > >>>>> Thanks a lot for bringing up this discussion. This is very important > >>> for > >>>>> Flink community! > >>>>> > >>>>> I think setup a security mailing list for Flink is pretty nice > >>> although ` > >>>>> secur...@apache.org` can be used and the report will be forwarded to > >>>> Flink > >>>>> private mailing list if there is no project specific security mailing > >>>>> list. One thing that is pretty sure is that we should guide users on > >>> how > >>>> to > >>>>> report security issues in Flink website as security vulnerabilities > >>>> should > >>>>> not be entered into a project's public bug tracker directly according > >>> to > >>>>> the guidance for how to handling the security vulnerabilities in ASF > >>>>> site[1]. > >>>>> > >>>>> Besides, we need also add a security page in Flink which shows the > >>>>> information about the security vulnerabilities per the guidance of > >>>>> the > >>>>> security vulnerabilities in ASF site[2]. Projects such as spark[3], > >>>>> kafka[4], etc already have such a page. > >>>>> > >>>>> Best,Jincheng > >>>>> > >>>>> [1] > >>>> > https://www.apache.org/security/committers.html#vulnerability-handling > >>>>> [2] > >>>> > https://www.apache.org/security/committers.html#publishing-information > >>>>> [3] https://spark.apache.org/security.html > >>>>> [4] https://kafka.apache.org/cve-list > >>>>> > >>>>> Dian Fu <dian0511...@gmail.com> 于2019年11月14日周四 下午12:12写道: > >>>>> > >>>>>> Hi all, > >>>>>> > >>>>>> I'm reaching out to see if there is an existing security specific > >>>> mailing > >>>>>> list in Flink. If there is, we should expose it in the offcial web > >>> site > >>>>> of > >>>>>> Flink [1] to guide people to report security issues to this mailing > >>>> list. > >>>>>> If it still doesn't exist, I'm here to propose to setup a > >>>>>> secur...@flink.apache.org mailing list for reporting and discussion > >>> of > >>>>>> security specific issues. Currently, most well known apache projects > >>>> such > >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc > >>> have a > >>>>>> security specific mailing list. It would be nice if there is also a > >>>>>> security specific mailing list for Flink. > >>>>>> > >>>>>> Note that users should report security issues to the security > >>>>>> mailing > >>>>>> list. > >>>>>> > >>>>>> Looking forward to your feedback! > >>>>>> > >>>>>> Regards, > >>>>>> Dian > >>>>>> > >>>>>> [1] https://flink.apache.org/community.html > >>>>>> [2] https://commons.apache.org/mail-lists.html > >>>>>> [3] https://hadoop.apache.org/mailing_lists.html > >>>>>> [4] https://spark.apache.org/community.html > >>>>>> [5] https://kafka.apache.org/project-security.html > >>>>>> [6] https://hive.apache.org/mailing_lists.html > >>>> > >>>> -- > >>>> Best Regards > >>>> > >>>> Jeff Zhang > >>>> > > > > > >
