Private channel for reporting security issues

[Huxing Zhang <hu...@apache.org>]

Hello Mentors and community,

Recently we've received a report of security vulnerability, which is
reported publicly via Github issues. However, when I want to check it
again, I found the issue deleted for unknown reason. I've no idea how
this is happened and my guess is Github delete this issue once it
detect it as a vulnerability report.

This make me thinking about how should a security issue be reported.

Given that Dubbo has already been widely used in many production
systems of various company[1], I think we should provide a private
channel for reporting security issue.

Currently we have 2 options:
1) private@dubbo.apache.org
2) security@dubbo.apache.org

Since Dubbo is just start incubating, I think 1) is enough for now. We
can switch to 2) if necessary.

Thoughts?

[1] https://github.com/alibaba/dubbo/issues/1012
-- 
Best Regards！
Huxing

Re: Private channel for reporting security issues

[Mark Thomas <ma...@apache.org>]

On 02/03/18 03:23, Huxing Zhang wrote:
> Hi Mark,
> 
> Thanks for the information.
> In that case, I am +1 for security@dubbo.apache.org.
> 
> Further question: if the venerability report is related to some
> project Dubbo depends on, what kind of action should Dubbo security
> team take?
> 
> Should we accepted, update to the fixed version, and then announce it?

Typically (the process can and does vary based on circumstances) we'd
redirect the reporter to the project with the vulnerability. Once that
project has fixed it, we'd update the dependency. Once that project
announces the vulnerability with a CVE reference, we'd announce that we
were vulnerable using the same CVE reference.

Figuring out where the root cause lies for a given vulnerability -
particularly across projects - can get 'interesting'.

On a related topic it is perfectly possible to depend on a project that
has a known vulnerability without being vulnerable (e.g. because we
don't use the affected functionality).

Mark


> 
> On Thu, Mar 1, 2018 at 6:24 PM, Mark Thomas <ma...@apache.org> wrote:
>> On 01/03/18 02:59, Echo Wang wrote:
>>>>
>>>> 1) private@dubbo.apache.org
>>>
>>>
>>> +1
>>
>> With my mentor hat on:
>>
>> No.
>>
>> All security vulnerability reports need to be visible to the ASF
>> security team and if they are reported directly to the private@ list
>> that doesn't happen.
>>
>> The podling needs to choose which of the following addresses it wishes
>> to publish for security reports and then make sure that the chosen
>> address is clearly signposted:
>>
>> 1. security@dubbo.apache.org
>> 2. security@apache.org
>>
>> If the podling chooses the first, the podling will need to request that
>> that list is set up by INFRA. All security@<project>.apache.org lists
>> are automatically copied to the ASF security team.
>>
>> If the podling chooses security@a.o (the ASF wide security address),
>> that team will then forward reports to private@dubbo.apache.org
>>
>> Now is probably also a good time for the project community to review the
>> security vulnerability handling process:
>>
>> http://www.apache.org/security/committers.html
>>
>> Mark
> 

Re: Private channel for reporting security issues

[Von Gosling <vo...@apache.org>]

Agree, security issues could be moved on the private email list to discuss :-)

Best Regards,
Von Gosling

> 在 2018年3月2日，11:59，Justin Mclean <ju...@classsoftware.com> 写道：
> 
> Note that as an exception to the usual talk about it on the dev list dicussion should be kept to private lists to reduce the risk of someone taking advantage of the security issue before it is fixed.

Re: Private channel for reporting security issues

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> Thanks for the information.
> In that case, I am +1 for security@dubbo.apache.org.

Requested and the email list should be created soon.

> Further question: if the venerability report is related to some
> project Dubbo depends on, what kind of action should Dubbo security
> team take?
> Should we accepted, update to the fixed version, and then announce it?

In sort but its a bit more involved that that. for full details see [1].

Note that as an exception to the usual talk about it on the dev list dicussion should be kept to private lists to reduce the risk of someone taking advantage of the security issue before it is fixed.

Thanks,
Justin

1. https://www.apache.org/security/committers.html

Re: Private channel for reporting security issues

[Huxing Zhang <hu...@apache.org>]

Hi Mark,

Thanks for the information.
In that case, I am +1 for security@dubbo.apache.org.

Further question: if the venerability report is related to some
project Dubbo depends on, what kind of action should Dubbo security
team take?

Should we accepted, update to the fixed version, and then announce it?

On Thu, Mar 1, 2018 at 6:24 PM, Mark Thomas <ma...@apache.org> wrote:
> On 01/03/18 02:59, Echo Wang wrote:
>>>
>>> 1) private@dubbo.apache.org
>>
>>
>> +1
>
> With my mentor hat on:
>
> No.
>
> All security vulnerability reports need to be visible to the ASF
> security team and if they are reported directly to the private@ list
> that doesn't happen.
>
> The podling needs to choose which of the following addresses it wishes
> to publish for security reports and then make sure that the chosen
> address is clearly signposted:
>
> 1. security@dubbo.apache.org
> 2. security@apache.org
>
> If the podling chooses the first, the podling will need to request that
> that list is set up by INFRA. All security@<project>.apache.org lists
> are automatically copied to the ASF security team.
>
> If the podling chooses security@a.o (the ASF wide security address),
> that team will then forward reports to private@dubbo.apache.org
>
> Now is probably also a good time for the project community to review the
> security vulnerability handling process:
>
> http://www.apache.org/security/committers.html
>
> Mark

-- 
Best Regards！
Huxing

Re: Private channel for reporting security issues

[Mark Thomas <ma...@apache.org>]

On 01/03/18 02:59, Echo Wang wrote:
>>
>> 1) private@dubbo.apache.org
> 
> 
> +1

With my mentor hat on:

No.

All security vulnerability reports need to be visible to the ASF
security team and if they are reported directly to the private@ list
that doesn't happen.

The podling needs to choose which of the following addresses it wishes
to publish for security reports and then make sure that the chosen
address is clearly signposted:

1. security@dubbo.apache.org
2. security@apache.org

If the podling chooses the first, the podling will need to request that
that list is set up by INFRA. All security@<project>.apache.org lists
are automatically copied to the ASF security team.

If the podling chooses security@a.o (the ASF wide security address),
that team will then forward reports to private@dubbo.apache.org

Now is probably also a good time for the project community to review the
security vulnerability handling process:

http://www.apache.org/security/committers.html

Mark

Re: Private channel for reporting security issues

[Echo Wang <do...@apache.org>]

>
> 1) private@dubbo.apache.org


+1