From de58c77e38e18911e60dd4790d335d5c7d2c458f Mon Sep 17 00:00:00 2001 From: Danielle Tal Date: Wed, 24 May 2023 15:35:59 +0200 Subject: [PATCH 1/7] Create SECURITY.md @dongsupark Please describe the security process we do weekly --- SECURITY.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..7cc790b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,14 @@ +# Flatcar Security + +- Describe the process of tracking security issues for Flatcar, especially tracking issues from upstream projects like Gentoo Linux. + +## Primary person should do so: + +Every day look into upstream security trackers like below: +- Gentoo security vulnerabilities. It might be useful to use gorss + RSS feed for this. +- oss-security mailing list +- Golang announce mailing list +- Rust security announcements +- (optional) RedHat vulnerabilities +- If we see any new CVE, then add it to the CVE spreadsheets (still private), and click the link (above left) to generate new issues. Then we should be able to see a new issue created in Kinvolk security Github issues. (still private) +- If the package of the new CVE is already open in Kinvolk security Github issues, then unfortunately we need to manually edit the existing issue to add the new CVE. From 91bfa1409bb4335b5909be22abd7e2dde58dfd27 Mon Sep 17 00:00:00 2001 From: Danielle Tal Date: Thu, 8 Jun 2023 12:47:56 +0200 Subject: [PATCH 2/7] Update SECURITY.md Co-authored-by: Dongsu Park --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 7cc790b..d7de8d6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,5 +10,5 @@ Every day look into upstream security trackers like below: - Golang announce mailing list - Rust security announcements - (optional) RedHat vulnerabilities -- If we see any new CVE, then add it to the CVE spreadsheets (still private), and click the link (above left) to generate new issues. Then we should be able to see a new issue created in Kinvolk security Github issues. (still private) +- Whenever we discover any new CVE, we add it to an internal database, and use automation tools to create a new issue about the CVE in [Flatcar GitHub issues](https://github.com/Flatcar/Flatcar/issues) with labels `security` and `advisory`. - If the package of the new CVE is already open in Kinvolk security Github issues, then unfortunately we need to manually edit the existing issue to add the new CVE. From 9c50b56bcfc040ee7da2111f4ee2bf290734e5bb Mon Sep 17 00:00:00 2001 From: Danielle Tal Date: Thu, 8 Jun 2023 12:48:14 +0200 Subject: [PATCH 3/7] Update SECURITY.md Co-authored-by: Dongsu Park --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index d7de8d6..787f9e1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,4 +11,4 @@ Every day look into upstream security trackers like below: - Rust security announcements - (optional) RedHat vulnerabilities - Whenever we discover any new CVE, we add it to an internal database, and use automation tools to create a new issue about the CVE in [Flatcar GitHub issues](https://github.com/Flatcar/Flatcar/issues) with labels `security` and `advisory`. -- If the package of the new CVE is already open in Kinvolk security Github issues, then unfortunately we need to manually edit the existing issue to add the new CVE. +- If an issue of updating the specific package affected by the new CVE is already open in [Flatcar GitHub issues](https://github.com/Flatcar/Flatcar/issues), then unfortunately we need to manually edit the existing issue to add the new CVE. From e1b4184cfe16c1debd4fca983fbafa32822bf96b Mon Sep 17 00:00:00 2001 From: Danielle Tal Date: Thu, 8 Jun 2023 12:48:24 +0200 Subject: [PATCH 4/7] Update SECURITY.md Co-authored-by: Dongsu Park --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 787f9e1..4a0e1e5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -9,6 +9,6 @@ Every day look into upstream security trackers like below: - oss-security mailing list - Golang announce mailing list - Rust security announcements -- (optional) RedHat vulnerabilities +- (optional) issue trackers of other distros - Whenever we discover any new CVE, we add it to an internal database, and use automation tools to create a new issue about the CVE in [Flatcar GitHub issues](https://github.com/Flatcar/Flatcar/issues) with labels `security` and `advisory`. - If an issue of updating the specific package affected by the new CVE is already open in [Flatcar GitHub issues](https://github.com/Flatcar/Flatcar/issues), then unfortunately we need to manually edit the existing issue to add the new CVE. From 16d92a35a937a8f906e18b01723e09e85823a484 Mon Sep 17 00:00:00 2001 From: Danielle Tal Date: Thu, 8 Jun 2023 12:48:42 +0200 Subject: [PATCH 5/7] Update SECURITY.md Co-authored-by: Thilo Fromm --- SECURITY.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 4a0e1e5..e715629 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,12 @@ - Describe the process of tracking security issues for Flatcar, especially tracking issues from upstream projects like Gentoo Linux. -## Primary person should do so: +## Daily security runbook for Security team primaries and secondaries + +The runbook below discusses steps for identifying new potential security issues and for making the issues known to the Flatcar project's maintainers and / or the other members of the Security team. +Embargoed issues are recorded in a private issue tracker only accessible by the Security team, while public issues are openly tracked in the [Flatcar project](https://github.com/Flatcar/Flatcar/issues). + +Primaries are expected to execute the runbook at least once per day, optionally assisted or off-loaded by Secondaries. Every day look into upstream security trackers like below: - Gentoo security vulnerabilities. It might be useful to use gorss + RSS feed for this. From 49c46255168d13b12a414224d579193433c19ae2 Mon Sep 17 00:00:00 2001 From: Danielle Tal Date: Thu, 8 Jun 2023 12:48:54 +0200 Subject: [PATCH 6/7] Update SECURITY.md Co-authored-by: Thilo Fromm --- SECURITY.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index e715629..e1f57da 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,17 @@ # Flatcar Security - -- Describe the process of tracking security issues for Flatcar, especially tracking issues from upstream projects like Gentoo Linux. +To keep Flatcar secure, the maintainers put a strong focus on tracking new and existing security issues. +Dealing with Security concerns is owned by the [Flatcar Security team](https://github.com/orgs/flatcar/teams/flatcar-security-team), a sub-set of the Maintainers team, and elected by the Maintainers (see [governance.md](./governance.md)). + +While the team actively researches and tracks new and existing security issues, it may also be notified of issues via [security@flatcar-linux.org](mailto:security@flatcar-linux.org). + +The Security team meets in a fortnightly cadence, in a private video call. +The team maintains an internal list of security Primaries and Secondaries, which are rotated on a weekly basis. +Primary and Secondary are expected to actively engage in security work each day, including executing the Runbook (see below) and working on fixing ongoing security issues. + +Undisclosed security issues are tracked in a private repository only accessible by members of the security team. +Public issues are tracked publicly in the project's main issue tracker. + +Security issues are addressed by releasing an updated OS image. Releases may be expedited depending on the issues' severity. For each release, release notes contain a concise list of security issues fixed. Also, a separate, detailed report on each of the issues addressed is part of every release. ## Daily security runbook for Security team primaries and secondaries From adf904ea5f529a2966822ab278962633e885dc66 Mon Sep 17 00:00:00 2001 From: Thilo Fromm Date: Thu, 8 Jun 2023 14:16:10 +0200 Subject: [PATCH 7/7] Update SECURITY.md --- SECURITY.md | 1 - 1 file changed, 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index e1f57da..e754a37 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,7 +16,6 @@ Security issues are addressed by releasing an updated OS image. Releases may be ## Daily security runbook for Security team primaries and secondaries The runbook below discusses steps for identifying new potential security issues and for making the issues known to the Flatcar project's maintainers and / or the other members of the Security team. -Embargoed issues are recorded in a private issue tracker only accessible by the Security team, while public issues are openly tracked in the [Flatcar project](https://github.com/Flatcar/Flatcar/issues). Primaries are expected to execute the runbook at least once per day, optionally assisted or off-loaded by Secondaries.