generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Becoming a CNA as an Open Source organization or project #139
Merged
Merged
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
ab864c4
Becoming a CNA as an Open Source organization or project
sethmlarson 5e9b9fe
Address feedback, add RedHat Root recommendation, document recommenda…
sethmlarson 030a91f
Fix the spacing for 'Red Hat'
sethmlarson 20fcb02
Add list of contraindictors for becoming a CNA
sethmlarson 8c956cf
Add 'Important Considerations' header, nudge towards Red Hat as Root
sethmlarson File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
186 changes: 186 additions & 0 deletions
186
docs/guides/becoming-a-cna-as-an-open-source-org-or-project.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,186 @@ | ||
| # Becoming a CNA as an Open Source Organization or Project | ||
|
|
||
| ## Audience and Overview | ||
|
|
||
| [CVE Numbering Authorities](https://www.cve.org/PartnerInformation/ListofPartners) (CNAs) are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. You can learn more about CNAs from [the CVE website](https://www.cve.org/PartnerInformation/Partner). There are videos available covering the [CVE Program overview](https://youtu.be/rrNYEUNsXOY) and the [general process to become a CNA](https://youtu.be/13b5cuZR7CQ). | ||
|
|
||
| This guide was written for Open Source organizations and projects that are interested in becoming a CNA and managing their own CVEs. This is not a guide for becoming a [Root CNA](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_3_roots) which has additional requirements. | ||
|
|
||
| This document will help cover the following topics: | ||
|
|
||
| * Benefits of becoming a CNA as an Open Source project | ||
| * Does your organization or project meet the requirements to become a CNA? | ||
| * What is the process for becoming a CNA? | ||
|
|
||
| A future document will cover other topics about CNA operations. | ||
|
|
||
| ## Why become a CNA? | ||
|
|
||
| CVEs are a common way to record and share details about vulnerabilities in software projects. Because of their near-ubiquity, CVEs are often the method that downstream consumers will use to know when software they're using is vulnerable and requires remediation. This is especially evident with their use of security scanners and tools that report findings discovered in software and systems using the CVE identifiers. | ||
|
|
||
| CVE Numbering Authorities (CNAs) are the entities that can allocate CVE IDs and create corresponding CVE Records within a particular scope (a product, a project or group of affiliated projects, and the like). Becoming a CNA means that your organization will have a defined scope and will be able to create CVE IDs and Records for that defined scope autonomously. | ||
|
|
||
| Below are some of the benefits of becoming a CNA: | ||
|
|
||
| * **Provide high-quality authoritative CVE Records for your users.** CVE Records created by third-parties can be incomplete or inaccurate. | ||
| * **CVEs can't be issued for projects in a CNA's scope without first reporting to the CNA.** This means that reporters _must_ initially engage with your CNA, thus reducing confusion and allowing subject-matter experts on the project and security policy to weigh in on whether to create a CVE for a given disclosure. | ||
| * **Assign CVE IDs without needing to share embargoed information with other organizations.** This allows the project to determine for themselves who, if anyone, needs or gets pre-disclosure information. | ||
|
|
||
| ## Requirements to become a CNA | ||
|
|
||
| Before becoming a CNA you can look at the below set of requirements to make sure joining the CNA Program is feasible for your project or organization. **Remember that you can always leave and rejoin the CNA Program at a later date if circumstances change.** | ||
|
|
||
| ### Points of contact (POCs) | ||
|
|
||
| Preferably 2 or more and ordered primary, secondary, etc. For each point of contact you’ll need the following information which is **not publishing publicly** and is only used internally by the CNA Program: | ||
|
|
||
| * Name | ||
| * Email address (Can’t be a group email address) | ||
| * Phone number (**Required for primary POC only**, and only used for rare emergencies like [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) in scoped products) | ||
sethmlarson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ### Time and reporting obligations | ||
|
|
||
| * **During CNA onboarding:** | ||
| * List of 3 available dates and times for a 1-hour call with CNA Program with all Points of Contact to answer questions and exercises. These three dates must be at least 3 weeks in the future. | ||
| * Complete practice exercises after the initial onboarding call and submit your exercises to the CNA Program for approval. | ||
|
|
||
| * **Throughout CNA operations:** | ||
| * **No time requirements on timeline for [non-public aspects of coordinated vulnerability disclosure](https://www.cve.org/ResourcesSupport/AllResources/CNARules#appendix_d_disclosure_and_embargo_policies) (ie reporting, acknowledging, disclosures, etc).** | ||
| * CVE dispute requests have timeliness requirements: | ||
| * 3 days to acknowledge the dispute. | ||
| * 5 days after acknowledgement to make a decision or extend and inform the requester. | ||
| * 15 days after optional extension to make a final decision or escalate up to your Root CNA, resulting in a new dispute cycle. | ||
| * Get approval from Root CNA with changes to CNA record data like POCs, scope, vulnerability disclosure policy and location, etc. | ||
| * CNA inactivity policy: 6 months of no CVE IDs allocated will cause a few heartbeat emails sent to POCs. After three attempts to contact your organization will be removed from the CNA Program (and you can reapply to join again). | ||
sethmlarson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| * Yearly review of CNA Rules and checking CNA mailing list (sent to POC email addresses). | ||
| * Recommended yearly rotation of CVE Services credentials. | ||
|
|
||
| ### Organization information | ||
|
|
||
| * Full name of organization (“Python Software Foundation”) | ||
| * Short name (ie “PSF”) used in CNA partner list and for authentication with CVE Services. | ||
| * Industry using [Global Industry Classification Standard](https://en.wikipedia.org/wiki/Global_Industry_Classification_Standard) (GICS). Likely to be “451030” corresponding with “Software” for Open Source projects. | ||
| * Country of Origin. | ||
| * CNA Role & Type. Likely to be “Open Source” and “Vendor” for Open Source projects. | ||
|
|
||
|
|
||
| ### CNA and CVE information | ||
|
|
||
| It’s acceptable to not have these fields complete at time of submission, they are finalized after the initial meeting and before announcing your organization as a CNA. | ||
|
|
||
| * Public contact information (ie email address, web form) | ||
| * Scope statement | ||
| * Vulnerability disclosure policy URL | ||
| * Advisory location URL, must be publicly scrapeable for CVE IDs. | ||
|
|
||
| Optionally have the answers to this information: | ||
|
|
||
| * Are there any in-flight CVE ID requests for your organization? (Let CVE know if there are, these can potentially be reassigned to your new CNA) | ||
| * Approximate number of CVE IDs needed in a year (you can always request more) | ||
|
|
||
| ## Process to become a CNA | ||
|
|
||
| ### Submitting the Onboarding Form | ||
|
|
||
| The first step towards becoming a CNA is to request more information about the CNA Program from the [CVE Request Form](https://cveform.mitre.org/). Select “Request Information on the CVE Numbering Program (CNA)” and fill out all the required fields, hit submit, and then wait for a reply with another form from the CNA Program operators. If you’re even somewhat interested in being a CNA, you should do this (there’s no cost or downside!) | ||
|
|
||
| When you’ve received the second form, this is where you’ll be filling in information about Points of Contact, Organization, etc about your prospective CNA. Like is mentioned in the Requirements section, many of these fields don’t need to be finalized before submitting the form. Focus on filling in everything that you can and then picking the dates for your initial meeting with the CNA Program. You’ll have some time to discuss with the CNA Program folks and update your response before your initial meeting. | ||
|
|
||
| The minimum amount of time between first contacting the CNA Program and being announced as a CNA is 4 weeks and it will take at least 3 weeks before your first video call with the CNA Program. During this three week period between first contact and your first call, this is the time where you can work on the following: | ||
|
|
||
| * Solidifying your scope, vulnerability disclosure policy, and vulnerability disclosure publishing location. You can look at the [existing list of CNA Partners](https://www.cve.org/PartnerInformation/ListofPartners) for examples. | ||
| * Learn about CNA Rules and processes from the published documentation and videos. | ||
| * Experiment with CVE Record format in [Vulnogram](https://vulnogram.github.io/). | ||
|
|
||
| Prior to attending the onboarding call I recommend reviewing the below resources. | ||
|
|
||
| ### CNA Onboarding Videos | ||
|
|
||
| Watch all the informational videos from the [CNA onboarding documentation](https://www.cve.org/ResourcesSupport/Resources#cnaOnboarding). Approximately an hour of content about the program, becoming a CNA, assigning CVE IDs, and creating CVE records. Slides are available on the website. | ||
|
|
||
| * [CVE Program Overview](https://youtu.be/rrNYEUNsXOY) (5 minutes) | ||
| * [Becoming a CNA](https://youtu.be/13b5cuZR7CQ) (15 minutes) | ||
| * [Assigning CVE IDs](https://youtu.be/JQYq-mxLo-U) (26 minutes) | ||
| * [CVE Record Creation](https://youtu.be/se-yM_LureQ) (7 minutes) | ||
|
|
||
| ### CVE Services | ||
|
|
||
| CNAs use [CVE Services](https://www.cve.org/AllResources/CveServices) to manage CVE IDs and records. CVE Services is essentially a set of APIs around the CVE database to manage a CNAs' block of CVE IDs and records. | ||
|
|
||
| Watch the following videos: | ||
|
|
||
| * [Getting a CVE Services Account](https://www.youtube.com/watch?v=KSNvidMTKNA) (10 minutes) | ||
| * [CVE Record Workflow](https://www.youtube.com/watch?v=k6eRdnzgk9E) (6 minutes) | ||
| * [Demo on Vulnogram, an open source CVE Services client UI](https://www.youtube.com/watch?v=o3V-fmQpC0o) (10 minutes) | ||
|
|
||
| There are optional videos available with a historical overview of CVE Services and deep-dive into CVE Record JSON 5 format. You don't have to watch these, but if you're interested they are there: | ||
|
|
||
| * [Introduction to CVE Services](https://www.youtube.com/watch?v=K2OoRpDhzss) (37 minutes) | ||
| * [CVE JSON 5 Format](https://www.youtube.com/watch?v=YWZECqzRI7M) (45 minutes) | ||
|
|
||
|
|
||
| ### CNA Rules | ||
|
|
||
| There is a [list of rules for all CNAs](https://www.cve.org/ResourcesSupport/AllResources/CNARules) published by CVE. Many of these rules apply to CNAs which aren't sub-CNAs like the PSF. The rules that do apply to Sub-CNAs are documented in these sections, read each of these: | ||
|
|
||
| * [Terminology / Definitions](https://www.cve.org/ResourcesSupport/AllResources/CNARules#appendix_a_definitions) | ||
| * [Rules for Sub-CNAs](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_2_sub_cnas) | ||
| * [CVE Assignment Rules](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_7_assignment_rules) | ||
| * [CVE Record Requirements](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8_cve_record_requirements) | ||
| * [Defining CNA Scope](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_10_defining_cna_scope) | ||
| * [Process to Correct Assignment Issues or Update CVE Records](https://www.cve.org/ResourcesSupport/AllResources/CNARules#appendix_c_process_to_correct_assignment_issues_update_cve_records) | ||
| * [Disclosure and Embargo Policies](https://www.cve.org/ResourcesSupport/AllResources/CNARules#appendix_d_disclosure_and_embargo_policies) | ||
|
|
||
| Pay close attention to **CVE Assignment Rules** and **CVE Record Requirements** as they will be the subject of the exercises for the onboarding call with the CNA Program. | ||
|
|
||
| ## Community Support | ||
|
|
||
| [CVE has multiple working groups](https://www.cve.org/ProgramOrganization/WorkingGroups), some of which are only available to join after being accepted into the CNA Program. The CNA Coordination Working Group provides mentorship and fosters better communication and participation from CNAs. | ||
|
|
||
| Upon being accepted into the CNA Program there is also a CNA-only Slack channel hosted by CVE which can be used for asking questions and checking with other CNAs on how they’d handle certain situations. | ||
|
|
||
| ## Q&A | ||
|
|
||
| **Q: Do I need to be an organization / company to become a CNA?** | ||
|
|
||
| A: No. Individual people could theoretically be a CNA, most of what matters is that you follow the rules of the program consistently and you’re able to meet the time requirements for CVE disputes. | ||
|
|
||
| **Q: Does everyone who’s handling CNA operations need to be a part of the same organization / company that the CNA represents?** | ||
|
|
||
| A: No. You can create CVE Services accounts for people outside your organization, including volunteers. What matters is that they know and follow CNA Rules when operating the CNA and that credentials are handled securely. | ||
|
|
||
| **Q: Should I scope end-of-life products / releases?** | ||
|
|
||
| A: End-of-life products / releases can still have CVEs assigned, whether you have them scoped or not is up to you and only changes whether MITRE (CNA-LR) or your CNA is issuing the CVEs. Advice is to start with end-of-life products / releases scoped and drop them from scope if the workload is too much. | ||
|
|
||
| **Q: Do I have to provide a CVSS score?** | ||
|
|
||
| A: No, that field is optional. NVD (National Vulnerability Database) tries to provide a CVSS score on every CVE. | ||
|
|
||
| **Q: Can all my CVE ID blocks be managed through CVE Services rather than through another service?** | ||
|
|
||
| A: Yes, and this is the recommended way. However, CVE Services cannot be used as a database for unpublished or incomplete records, submitting a CVE Record to CVE Services immediately moves it to the published state. Coordination on CVE Records thus cannot happen via CVE Services alone. | ||
|
|
||
| **Q: By becoming a CNA can I update CVEs that were issued against our newly scoped projects?** | ||
|
|
||
| A: No, you need to use the CVE Record update / dispute process with the assigner of each pre-existing CVE. | ||
|
|
||
| **Q: What does “web-scraping” advisory location mean? (From an onboarding form)** | ||
|
|
||
| A: This is a location where all CVE IDs appear in text such that they can be scraped by a web scraping process. This web scraping process is sometimes used by CVE to ensure that CVE IDs that get published as advisories are made publicly available in a timely manner. For monitored locations, CVE will give you a reminder if you publish an advisory and don’t publish the corresponding CVE Record in a few days. Publishing a CVE ID (like in an advisory) without publishing the corresponding CVE Record is called “[Reserved but public (RBP)](https://www.cve.org/ResourcesSupport/Glossary#glossaryRBP)” and is not permitted by the CNA Rules. | ||
|
|
||
| **Q: Is CNA status permanent? What are the ways CNA status can be revoked?** | ||
|
|
||
| A: CNA status is not permanent, it can be relinquished voluntarily any time by writing to the CNA’s Root. CNA status can be revoked if … | ||
|
|
||
| * CNA doesn’t meet the timelines specified in the CVE Record dispute process. | ||
| * CNA doesn’t respond to heartbeat emails after a period of inactivity. | ||
| * CNA violates CNA Rules and the CNA’s Root decides to revoke CNA status as a remediation. | ||
|
|
||
| ## Known differences/errata for CNA Rules | ||
|
|
||
| There are a few known differences between the onboarding and requirements from CVE and what's documented in the CNA Rules. Those are captured below: | ||
|
|
||
| * CNA must provide a phone number for the primary POC. | ||
| * CNA either should or must publish CVE Records within 24 hours of publication of a CVE ID. | ||
| * CNA timeliness requirements for CVE Disputes are not documented in the CNA Rules. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This text seems to suggest that there are ONLY advantages to becoming a CNA. I don't believe that; everything has its pros and cons.
A short list of contraindicators might be wise. E.g.:
When to not become a CNA
Becoming a CNA adds a new commitment. In particular, don't become a CNA if:
You don't necessarily need to become a CNA to issue CVEs on open source software (OSS) projects. Some CNAs already cover many OSS projects, including GitHub and Red Hat. In addition, it's always possible to file for a CVE through the "CNA of last resort" (MITRE at the time of this writing). However, if you find that these general fora don't suit your needs, becoming a CNA may be a useful solution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks David, I've added a list that captures your suggestion :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the added list.
I worry that the list might not be noticed. I strongly urge adding a header before the new list, e.g., "Important Considerations" or something else. That way, people can find that list easily and are more likely to notice it when skimming.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!