On Fri, 2 Jan 2015 13:44:49 -0800, Ben Pfaff wrote: > Open vSwitch needs some kind of process for handling vulnerabilities. So > far, we've been pretty lucky that way, but it can't last forever, and I > think we'll be better off if we have at least the outline of an established > process whenever a significant vulnerability comes along. Here's my draft > of a process based on the documentation of the OpenStack process at > https://wiki.openstack.org/wiki/Vulnerability_Management.
This looks great. Minor notes below. > +Step 4: Embargoed Disclosure > +---------------------------- > + > +The security advisory and patches are sent to downstream stakeholders, > +with an embargo date and time set to 3 to 5 business days from the > +time sent. Downstream stakeholders are expected not to deploy or > +disclose patches until the embargo is passed. I suggest to create a closed unarchived mailing list for this, so no stakeholder is forgotten if/when the person sending the advisory changes. > + > +Operating system vendors are obvious downstream stakeholders. It may > +not be necessary to be too choosy about who to include: any major Open > +vSwitch user who is interested and can be considered trustworthy > +enough could be included. To become a downstream stakeholder, email > +the ovs-security mailing list. > + > +If the vulnerability is public, skip this step. > + > + > +Step 5: Full Disclosure > +----------------------- > + > +When the embargo expires, push the (reviewed) patches to appropriate > +branches, post the patches to the ovs-dev mailing list (noting that > +they have already been reviewed and applied), post the security > +advisory to appropriate mailing lists (ovs-announce, ovs-users), and > +post the security advisory on the Open vSwitch webpage. ...and perhaps also to the mailing list mentioned above? Thanks! Jiri -- Jiri Benc _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
