CVE reports and process to completion

[Stamatis Zampetakis <za...@gmail.com>]

Hey everyone,

When someone discovers a potential security vulnerability for Hive (or
any other Apache project) they can opt to inform the PMC of the
project by following the ASF guidelines [1]. For Hive, the report
should be sent to security@hive.apache.org.

Next, the PMC follows the steps outlined in [2] to process the report
and if it is deemed necessary release a fix for the vulnerability.

In order to make the CVE process as smooth as possible and ensure that
CVE reports are addressed in a timely manner I would like to introduce
the notion of a "CVE mentor".

The "CVE mentor" is the one responsible for bringing the reported CVE
to completion ensuring that the steps in [2] are followed. They are
the principal contact person between the reporter of the vulnerability
and the PMC and the one who leads the discussions. The triage and fix
can be done by the mentor or entrusted to a committer (ensuring of
course that everything remains private till a fix is officially
released). Given that we need to release a fix very soon after a
vulnerability is fixed the mentor may also need to act as the release
manager. Since the reports arrive in the private list the CVE mentor
should be someone that has access to the security list (all PMC and
few other individuals).

However, for the idea to work we need a few people (preferably PMC) to
volunteer for the role of the "CVE mentor". Then the volunteers can
pick incoming CVE reports in a round robin fashion. Needless to say
that since I am the one proposing it, I would like to be part of the
list.

Any additional thoughts or suggestions on how to improve this process
are very welcomed. Also if you like the idea and want to volunteer
please reply to this email to add yourself to the list.

Best,
Stamatis Zampetakis

[1] https://www.apache.org/security/
[2] https://www.apache.org/security/committers.html#possible

Re: CVE reports and process to completion

[Stamatis Zampetakis <za...@gmail.com>]

Many thanks to Ayush for volunteering! Anyone else?

Note that handling vulnerabilities is of utmost importance to an
Apache project. It is one of the four technical requirements
established by ASF [1]. If there are not enough PMC members to handle
CVEs the project can be taken down.

Best,
Stamatis

[1] https://www.apache.org/dev/project-requirements#technical

On Wed, Sep 13, 2023 at 11:11 AM Ayush Saxena <ay...@gmail.com> wrote:
>
> Hi Stamatis,
> Thanx for starting the thread, I can volunteer as well.
>
> -Ayush
>
> On Tue, 12 Sept 2023 at 13:43, Stamatis Zampetakis <za...@gmail.com> wrote:
> >
> > Hey everyone,
> >
> > When someone discovers a potential security vulnerability for Hive (or
> > any other Apache project) they can opt to inform the PMC of the
> > project by following the ASF guidelines [1]. For Hive, the report
> > should be sent to security@hive.apache.org.
> >
> > Next, the PMC follows the steps outlined in [2] to process the report
> > and if it is deemed necessary release a fix for the vulnerability.
> >
> > In order to make the CVE process as smooth as possible and ensure that
> > CVE reports are addressed in a timely manner I would like to introduce
> > the notion of a "CVE mentor".
> >
> > The "CVE mentor" is the one responsible for bringing the reported CVE
> > to completion ensuring that the steps in [2] are followed. They are
> > the principal contact person between the reporter of the vulnerability
> > and the PMC and the one who leads the discussions. The triage and fix
> > can be done by the mentor or entrusted to a committer (ensuring of
> > course that everything remains private till a fix is officially
> > released). Given that we need to release a fix very soon after a
> > vulnerability is fixed the mentor may also need to act as the release
> > manager. Since the reports arrive in the private list the CVE mentor
> > should be someone that has access to the security list (all PMC and
> > few other individuals).
> >
> > However, for the idea to work we need a few people (preferably PMC) to
> > volunteer for the role of the "CVE mentor". Then the volunteers can
> > pick incoming CVE reports in a round robin fashion. Needless to say
> > that since I am the one proposing it, I would like to be part of the
> > list.
> >
> > Any additional thoughts or suggestions on how to improve this process
> > are very welcomed. Also if you like the idea and want to volunteer
> > please reply to this email to add yourself to the list.
> >
> > Best,
> > Stamatis Zampetakis
> >
> > [1] https://www.apache.org/security/
> > [2] https://www.apache.org/security/committers.html#possible

Re: CVE reports and process to completion

[Ayush Saxena <ay...@gmail.com>]

Hi Stamatis,
Thanx for starting the thread, I can volunteer as well.

-Ayush

On Tue, 12 Sept 2023 at 13:43, Stamatis Zampetakis <za...@gmail.com> wrote:
>
> Hey everyone,
>
> When someone discovers a potential security vulnerability for Hive (or
> any other Apache project) they can opt to inform the PMC of the
> project by following the ASF guidelines [1]. For Hive, the report
> should be sent to security@hive.apache.org.
>
> Next, the PMC follows the steps outlined in [2] to process the report
> and if it is deemed necessary release a fix for the vulnerability.
>
> In order to make the CVE process as smooth as possible and ensure that
> CVE reports are addressed in a timely manner I would like to introduce
> the notion of a "CVE mentor".
>
> The "CVE mentor" is the one responsible for bringing the reported CVE
> to completion ensuring that the steps in [2] are followed. They are
> the principal contact person between the reporter of the vulnerability
> and the PMC and the one who leads the discussions. The triage and fix
> can be done by the mentor or entrusted to a committer (ensuring of
> course that everything remains private till a fix is officially
> released). Given that we need to release a fix very soon after a
> vulnerability is fixed the mentor may also need to act as the release
> manager. Since the reports arrive in the private list the CVE mentor
> should be someone that has access to the security list (all PMC and
> few other individuals).
>
> However, for the idea to work we need a few people (preferably PMC) to
> volunteer for the role of the "CVE mentor". Then the volunteers can
> pick incoming CVE reports in a round robin fashion. Needless to say
> that since I am the one proposing it, I would like to be part of the
> list.
>
> Any additional thoughts or suggestions on how to improve this process
> are very welcomed. Also if you like the idea and want to volunteer
> please reply to this email to add yourself to the list.
>
> Best,
> Stamatis Zampetakis
>
> [1] https://www.apache.org/security/
> [2] https://www.apache.org/security/committers.html#possible