[For Review]: Open Source Security Foundation Vulnerability Disclosure Policy #149
Comments
|
This has been actively collaborated with the Vuln Disc WG. Jonathan has sought a lot of input to date to get us here. |
|
+1 on this, it's a great start! |
|
Now that this policy has been ratified by the TAC, where should it live? @SecurityCRob has proposed within this repository directly. Do others have other suggestions or opinions? |
|
I think it'd be nice to make it available from openssf.org. Where exactly, I'm not quite sure. Most of the existing policies (privacy policy, terms of use, antitrust policy) point back at Linux Foundation pages. Maybe either as an FAQ item on https://openssf.org/about/, or as its own page linked off the "About" menu in the header? |
|
Wouldn't it make sense to put it under https://openssf.org/resources? |
|
I'm not sure if the TAC needs to own the decision of where exactly on the website this lands (maybe @JLLeitschuh can use his best judgement and work with LF staff on that) - but it at least sounds like we're aligned that the vuln disclosure policy should live somewhere on https://openssf.org/? |
|
There are two questions at play here I think. Where does the source live, and where is the published version hosted? For the source version, which is what I'm more concerned about in the short term, I'm wondering what repository it should live in under the OSSF GitHub org. |
|
Shouldn't the source be in the Vulnerability Disclosures WG repo? |
Maybe? The counter argument to this is that, since this is an organization-level-policy, that has been ratified by the TAC, is that still the appropriate location for it to live? |
Ah, thanks for this clarification! I don't think this belongs in the TAC repo, just because the TAC reviewed / approved it. There's lots of stuff the TAC reviews / approves that aren't in the TAC repo. I think https://github.com/ossf/foundation makes the most sense. In fact, that's the current home of the OpenSSF Content Policy. |
|
Any arguments for https://github.com/ossf/.github vs https://github.com/ossf/foundation ? Should all of the foundation docs be moved to the I ask because, I presume, the SECURITY.md policy, when created will be published in the https://github.com/ossf/.github right? Shouldn't other policy docs live there then as well? |
|
Yes, community health files all belong in the org's .github repo so that they can be the defaults for every repo. However, things that aren't supported by github can go anywhere - although that's a reasonable place to put them. |
For what it's worth I think it would have made sense for it to go through the Vulnerability Disclosures WG first, before being brought up to the TAC. So I still think it would make sense to have the source/model file there. |
This is the process that was followed |
Oh right, I took part in it. I should know! I'm getting old... |
SecurityCRob
added
documentation
SecurityCRob
assigned SecurityCRob, di, AevaOnline, znewman01, dlorenc, bobcallaway and lehors
|
Was that supposed to be @steiza assigned instead of me? |
yup |
|
Please let me know if anything needs changing on the website. I have direct access so it is very easy to change. |
|
Derp. Sorry about that!
|
|
Website content looks great; thanks @hythloda! In terms of what repository this policy should live in, I still think https://github.com/ossf/foundation makes the most sense. Really, the only purpose of https://github.com/ossf/.github should be for the public README on https://github.com/ossf. If we want to have a template repository, we could, but that should probably be separate from If the policy is OpenSSF wide, it seems like it should live somewhere like https://github.com/ossf/foundation. |
|
We like? ossf/foundation#31 |
|
@bobcallaway @AevaOnline @lehors @dlorenc please weigh in on your thoughts on placement for this so we can close this. |
|
I feel like the main policy should go in the foundation repo and the template in the Vuln WG repo. But as I said on ossf/foundation#31 "it seems that this is turning into a bikeshedding topic so feel free to ignore my preference if that helps getting to closure." :-) |
|
+1, we've spent more time talking about it instead of just merging it
…On Tue, Jun 27, 2023 at 9:18 AM Arnaud J Le Hors ***@***.***> wrote:
I feel like the main policy should go in the foundation repo and the
template in the Vuln WG repo. But as I said on ossf/foundation#31
<ossf/foundation#31> "it seems that this is
turning into a bikeshedding topic so feel free to ignore my preference if
that helps getting to closure." :-)
—
Reply to this email directly, view it on GitHub
<#149 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAVWTJJCXAZTCQBIQGLPPN3XNLMTXANCNFSM6AAAAAAWMEKDQQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@JLLeitschuh please follow Arnaud's suggestion and get the template located within the vuln wg's repo, and we'll post the text up at the foundation level, as per ossf/foundation#31 then we can close this out. |
|
Here's a quick clarification to prevent confusion: This issue is only for an outgoing vulnerability disclosure policy. The Vulnerability disclosures WG has ALSO separately drafted an INCOMING vulnerability disclosure policy, that is, on how to report vulnerabilities to the OpenSSF (and how the OpenSSF should handle them). You can see the discussion & content of the draft INCOMING vulnerability disclosure policy here: ossf/wg-vulnerability-disclosures#128. I'd like to see that work eventually come to fruition, but it's separate & don't want them confused with each other :-). |
|
@hythloda are we good to close this? the link exists on the foundation webpage, correct? |
The Vulnerability Disclosure WG has developed a proposal for an OpenSSF Vulnerability Disclosure Policy. This policy is for outgoing vulnerabilities, not incoming vulnerabilities. This is particularly relevant to the Alpha Omega project as it defines the policy under which vulnerabilities A-O finds are disclosed to maintainers.
At this time we are requesting both TAC and LF legal review of the policy. We are seeking approval to make this an official OpenSSF policy. This policy will define how all OpenSSF discovered vulnerabilities are disclosed to maintainers.
https://docs.google.com/document/d/1W2Xfw9i5pSA-0XbIw3a4kcW2o4PByxDbjcnWe9mlQwA/edit
Relevant Vulnerability Disclosures WG issue: ossf/wg-vulnerability-disclosures#122
I'd like to also get on the agenda for the soonest TAC meeting to discuss this proposal.
The text was updated successfully, but these errors were encountered: