Skip to content
Snippets Groups Projects
Commit 37b604b8 authored by Marta Rybczynska's avatar Marta Rybczynska
Browse files

cve_policy: update the policy


Update the policy with details related to Eclipse processes,
the setup of the Gitlab bugtracker.

Signed-off-by: default avatarMarta Rybczynska <marta.rybczynska@linaro.org>
parent 9b682960
No related branches found
No related tags found
No related merge requests found
Pipeline #12014 passed
...@@ -4,8 +4,8 @@ ...@@ -4,8 +4,8 @@
.. include:: ../definitions.rst .. include:: ../definitions.rst
Vulnerability Handling Process (draft) Vulnerability Handling Process
###################################### ##############################
|main_project_name| aims to build a secure system from the foundation, applying |main_project_name| aims to build a secure system from the foundation, applying
the best industry practices in terms of development quality. However, as in the best industry practices in terms of development quality. However, as in
...@@ -19,6 +19,8 @@ protect deployed products, sometimes we need to delay releasing information ...@@ -19,6 +19,8 @@ protect deployed products, sometimes we need to delay releasing information
related to security issues, following the industry best practices. However, all related to security issues, following the industry best practices. However, all
information about vulnerabilities is becoming publicly available at the end. information about vulnerabilities is becoming publicly available at the end.
This process extends `the Eclipse security process <https://www.eclipse.org/security/policy.php>`.
How to Report a Vulnerability? How to Report a Vulnerability?
****************************** ******************************
...@@ -29,8 +31,8 @@ dedicated `security project <https://gitlab.eclipse.org/security/oniro-core>`_. ...@@ -29,8 +31,8 @@ dedicated `security project <https://gitlab.eclipse.org/security/oniro-core>`_.
To do so, login into our issue tracker or create a new account if you do not have one To do so, login into our issue tracker or create a new account if you do not have one
yet. Click on `New issue <https://gitlab.eclipse.org/security/oniro-core/-/issues/new>`_, then make sure to check the checkbox at the bottom yet. Click on `New issue <https://gitlab.eclipse.org/security/oniro-core/-/issues/new>`_, then make sure to check the checkbox at the bottom
'This issue is confidential and should only be visible to team members with at least 'This issue is confidential and should only be visible to team members with at least
Reporter access'. Please use the 'Issue' type of ticket and the associated template. Reporter access'. Please use the 'Issue' type of ticket, on top of the Description field choose
Fill in the title, answer the questions in the 'Description' field. 'default' template. Fill in the title, answer the questions in the 'Description' field.
Then click 'Create issue'. Then click 'Create issue'.
Your report should contain a description of the issue, the steps you took to Your report should contain a description of the issue, the steps you took to
...@@ -104,9 +106,10 @@ assigns it to the relevant developer. The security team also verifies which ...@@ -104,9 +106,10 @@ assigns it to the relevant developer. The security team also verifies which
versions are affected. versions are affected.
If the security team judges it could be exploited, they request a CVE number for If the security team judges it could be exploited, they request a CVE number for
the issue and set up the embargo duration. It is by default 90 the issue and set up the embargo duration (see details in the
days, and may be different if necessary (for example, if the fix will be `Eclipse project handbook <https://www.eclipse.org/projects/handbook/#vulnerability-cve>`__).
complicated to deploy, or the issue will be known earlier for some reasons). It is by default 90 days, and may be different if necessary (for example, if the fix will
be complicated to deploy, or the issue will be known earlier for some reasons).
The CVE number is mentioned in the confidential ticket, but should not be used The CVE number is mentioned in the confidential ticket, but should not be used
in any other communication until the end of the embargo. The commit messages in any other communication until the end of the embargo. The commit messages
...@@ -209,6 +212,12 @@ We follow the rules of the upstream projects, if applicable. ...@@ -209,6 +212,12 @@ We follow the rules of the upstream projects, if applicable.
This step is an equivalent of the Fix step of the Bug process. This step is an equivalent of the Fix step of the Bug process.
Gitlab currently does not allow adding outside assignees to a confidential issue.
It means that, when a team needs to add a domain expert, they need to create a
new confidential issue and add ALL people who should be working on the ticket
as assignees. This is currently the only workaround assuring no confidential data
disclosure.
Notify Notify
^^^^^^ ^^^^^^
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment