Skip to content

Commit

Permalink
add security incident response process (#3675)
Browse files Browse the repository at this point in the history
  • Loading branch information
cartersocha authored Dec 16, 2023
1 parent 8fea91c commit 2cafab0
Show file tree
Hide file tree
Showing 2 changed files with 140 additions and 0 deletions.
128 changes: 128 additions & 0 deletions content/en/docs/security/security-response.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
---
title: Community Incident Response Guidelines
weight: 102
---

Security vulnerabilities should be handled quickly and sometimes privately. The
primary goal of this process is to reduce the total time users are vulnerable to
publicly known exploits.

The
[OpenTelemetry Technical Committee (OTel TC)](https://github.com/open-telemetry/community/blob/main/tech-committee-charter.md)
and relevant repository maintainers, supported by tooling provided by the
[SIG Security](https://github.com/open-telemetry/sig-security), are responsible
for responding to the incident organizing the entire response including internal
communication and external disclosure.

## Supported Versions

The OTel project provides community support only for the last overall minor
version: bug fixes are released either as part of the next minor version or as
an on-demand patch version. Independent of which version is next, all patch
versions are cumulative, meaning that they represent the state of our `main`
branch at the moment of the release. For instance, if the latest version is
0.10.0, bug fixes are released either as part of 0.11.0 or 0.10.1.

Security fixes are given priority and might be enough to cause a new version to
be released. Each repository is entitled to establish their own complementary
processes. SIG Security in conjunction with the TC can advise in case
clarifications are required.

## Disclosures

### Private Disclosure Processes

In order for the vulnerability reports to reach maintainers as soon as possible,
the preferred way is to use the `Report a vulnerability` button on the
`Security` tab in the respective GitHub repository. It creates a private
communication channel between the reporter and the maintainers.

If you are absolutely unable to or have strong reasons not to use GitHub
reporting workflow, please reach out to the Technical Committee using
[[email protected]](mailto:[email protected])
and we will provide instruction on how to report the vulnerability using an
encrypted message, if desired.

### Public Disclosure Processes

If you know of a publicly disclosed security vulnerability please IMMEDIATELY
email
[[email protected]](mailto:[email protected])
to inform the Security Response Committee (SRC) about the vulnerability so they
may start the patch, release, and communication process. Please include any
relevant information about current public exploitations of this vulnerability if
known to help with scoring and prioritization.

The TC should receive the message and re-direct it to the relevant repository
maintainers for ownership. If possible the repository maintainers will engage
and ask the person making the public report if the issue can be handled via a
private disclosure process. If the reporter denies the request, the repository
maintainers will move swiftly with the fix and release process. In extreme cases
you can ask GitHub to delete the issue but this generally isn't necessary and is
unlikely to make a public disclosure less damaging.

## Patch, Release, and Public Communication

### Fix Team Organization

The Fix Team is made up of the relevant repository maintainers.

### TC Role

- A member of the TC will need to review the proposed CVSS score and severity
from the Fix Team
- Acknowledge when a proposed fix is completed

### Fix Development Process

All of the timelines below are suggestions that assume a Private Disclosure and
that the report is accepted as valid.

#### Initial Incident Response

- The TC is notified of an incident and the relevant repository maintainers are
added automatically using a Zapier workflow as the Fix Team to the issue.
- The Fix Team acknowledges the incident to the reporter, asks for further
details if necessary, and begins mitigation planning.
- The Fix Team confirms with the reporter if the incident is valid and requires
a fix.
- The Fix Team creates a temporary private branch to start work on the fix.
- The Fix Team will create a
[CVSS](https://www.first.org/cvss/specification-document) Base score using the
[CVSS Calculator](https://www.first.org/cvss/calculator/3.1) and ping the TC
GitHub team, `@open-telemetry/technical-committee` for confirmation.
- The Fix Team will request a CVE from GitHub and follow up with the reporter.
- The Fix Team publishes the CVE to the GitHub Security Advisory Database for
user notification.

#### Incident Mitigation

The incident mitigation timeline depends on the severity of the incident and
repository release cadence.

- The Fix Team will ping
[@open-telemetry/technical-committee](https://github.com/orgs/open-telemetry/teams/technical-committee)
to alert them that work on the fix branch is complete once there are LGTMs on
all commits in the temporary private fork created for the GitHub Security
Advisory.
- The updated version is released with the fix.
- The incident is published to the GitHub Security Advisory Database and
affected users are automatically notified using GitHub security alerts.

### Fix Disclosure Process

OTel relies on GitHub tooling to notify the affected repositories and publish a
security advisory. GitHub will publish the CVE to the CVE List, broadcast the
Security Advisory via the GitHub Advisory Database, and send security alerts to
all repositories that use the package and have alerts on. The CVE will also be
added to the [OTel website's CVE feed](../cve/).

#### Fix Release Day

The Fix Team as repository owners will release an updated version and optionally
notify their communities via Slack.

## Severity

The Fix Team evaluates vulnerability severity on a case-by-case basis, guided by
CVSS 3.1 and is subject to TC review.
12 changes: 12 additions & 0 deletions static/refcache.json
Original file line number Diff line number Diff line change
Expand Up @@ -3787,6 +3787,10 @@
"StatusCode": 200,
"LastSeen": "2023-06-30T09:42:42.642961-04:00"
},
"https://github.com/orgs/open-telemetry/teams/technical-committee": {
"StatusCode": 200,
"LastSeen": "2023-12-16T12:14:31.82439-08:00"
},
"https://github.com/orishoshan": {
"StatusCode": 200,
"LastSeen": "2023-11-16T15:02:08.644309-05:00"
Expand Down Expand Up @@ -6163,6 +6167,14 @@
"StatusCode": 200,
"LastSeen": "2023-07-07T17:13:23.688913+02:00"
},
"https://www.first.org/cvss/calculator/3.1": {
"StatusCode": 200,
"LastSeen": "2023-12-13T15:40:04.523841-08:00"
},
"https://www.first.org/cvss/specification-document": {
"StatusCode": 200,
"LastSeen": "2023-12-13T15:40:03.612009-08:00"
},
"https://www.flipt.io/docs/configuration/observability#tracing": {
"StatusCode": 206,
"LastSeen": "2023-10-05T19:46:12.968304+02:00"
Expand Down

0 comments on commit 2cafab0

Please sign in to comment.