Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simple Vulnerability Intake Form for OSS Projects #94

Open
SecurityCRob opened this issue Feb 16, 2021 · 5 comments
Open

Simple Vulnerability Intake Form for OSS Projects #94

SecurityCRob opened this issue Feb 16, 2021 · 5 comments

Comments

@SecurityCRob
Copy link
Contributor

A pain point this group identified between Finder/Researchers and Maintainers is the lack of an easy, consistent way to share vuln. reports that capture enough information that makes them actionable on the developer-end. To that end, I submit this simple form for the group to comment on so we can ultimately have a template that correctly captures how best Finders can communicate with an OSS Maintainer when they discover/suspect a vulnerability. I am looking forward to the conversation:

TITLE!

Researcher: YOUR NAME or L33T h@x0rr handle!

Contact information: How do you want to communicate about this?

Description:
Short, yet descriptive overview of what you’ve found

Exploitation technique:
Local, Remote, other?

Impact(s):
What breaks with the thing you found?

Proof of Concept:
POC Code and/or steps to reproduce (can attach a file)

Mitigation:
Any suggestions on how to fix it?

Affected versions:
What Product, OS, stack and versions have you tested against?

Timeline:
Have you shared with anyone else yet (who and when)? Do YOU have a deadline they should be aware of?

Credits:
Who should get credit for all of this good work?

@msmeissn
Copy link
Contributor

sounds good as-is... i would perhaps mention encryption method additionaly.

@lirantal
Copy link

Hopefully, this gets disclosed in a private issue though. Is that possible to do? (private security issue + issue template)

@esarafianou
Copy link
Contributor

@RedHatCRob Could you submit the template as a PR for easier commenting/collaboration?

@johnandersen777
Copy link

johnandersen777 commented Mar 24, 2023

Not sure if this is still active, but have been working on a methodology as part of this SCITT use case: WIP: RFCv6: IETF SCITT: Use Case: Attestations of alignment to S2C2F and org Overlays. In this use case we're looking at OpenVEX as the format which we could use to submit the vuln. We'd use the description or evolution of the linked data format there to reference a SARIF or other standard format document or set of instances of formats which would act as the justification, with the status set to affected. Effectively submitting the "form" would be proposing that an ad-hoc generated CVE-ID affects a product. Perhaps a schema and example of form above would help restart discussion?

Ping @kaniini, thoughts? (I might have totally f'd this up, please let me know, thank you 🐇 :) I mentioned in openvex/spec#9 that the ActivityPub.content piggyback based approach in that use case doc is probably too high in the stack protocol/bytes overhead wise, still eagerly awaiting Rapunzel. There may be cases where people like OSS maintainers might want to leverage existing infra to relay at the content level due to not being able to host infra themselves, but not sure what the next move is for vuln comms interop yet until hearing more input from you.

"@context":
  "@vocab": "https://github.com/intel/dffml/raw/93b9b339b2821c330791b33fe12c19c1b7f21fac/schema/security/vuln/proposed/0.0.0.schema.json"
"@id": "https://github.com/intel/dffml/blob/93b9b339b2821c330791b33fe12c19c1b7f21fac/schema/security/vuln/proposed/example.0.0.0.yaml"
include:
- affected_versions:
  - 0.0.0
  credits:
  - name: Alice
  description: "Some kind of caterpillar"
  exploitation_techniques:
  - remote
  - local
  mitigation: "Wake up!"
  poc: |
    print("🐛")
  timeline:
  - date: "2022-04-17"
    description: "Here"
    parties:
    - name: Alice
  - date: "2023-03-23"
    description: "Reported"
    parties:
    - name: Alice
    - name: Bob
$id: https://github.com/intel/dffml/raw/93b9b339b2821c330791b33fe12c19c1b7f21fac/schema/security/vuln/proposed/0.0.0.schema.json
$schema: https://json-schema.org/draft/2020-12/schema
definitions:
  affected_version:
    description: What Product, OS, stack and versions have you tested against? TODO
      regex for PURLs
    type: string
  entity:
    description: Who done it
    properties:
      name:
        description: Whooooo areeeeee youuuuuu?
        type: string
    type: object
  exploitation_technique:
    description: How can did you break it?
    enum:
    - local
    - remote
    type: string
  mitigation:
    description: Any suggestions on how to fix it?
    type: string
  poc:
    description: POC Code and/or steps to reproduce (can attach a file, base64 encode
      a zip or tar for now if a repo or more than one file)
    type: string
  proposed_vuln:
    properties:
      affected_versions:
        items:
          $ref: '#/definitions/affected_version'
        type: array
      credits:
        items:
          $ref: '#/definitions/entity'
        type: array
      description:
        description: "Short, yet descriptive overview of what you\u2019ve found"
        type: string
      exploitation_techniques:
        items:
          $ref: '#/definitions/exploitation_technique'
        type: array
      mitigation:
        $ref: '#/definitions/mitigation'
      poc:
        $ref: '#/definitions/poc'
      timeline:
        $ref: '#/definitions/timeline'
    type: object
  timeline:
    description: What are we thinking the order of events related to responsible discloure
      is?
    items:
      $ref: '#/definitions/timeline_item'
    type: array
  timeline_item:
    description: Something is happneing!
    properties:
      date:
        description: When is this timeline itme happening. TODO date regex. TODO non-linear
          time conversion helpers
        type: string
      description:
        description: What's happening at this point in time?
        type: string
      parties:
        description: Who's involved in this timeline item?
        items:
          $ref: '#/definitions/entity'
        type: array
    type: object
properties:
  '@context':
    items:
      type: string
    type: array
  '@id':
    type: string
  include:
    items:
      $ref: '#/definitions/proposed_vuln'
    type: array

johnandersen777 pushed a commit to intel/dffml that referenced this issue Mar 24, 2023
johnandersen777 pushed a commit to intel/dffml that referenced this issue Mar 24, 2023
johnandersen777 pushed a commit to intel/dffml that referenced this issue Mar 24, 2023
johnandersen777 pushed a commit to intel/dffml that referenced this issue Mar 24, 2023
johnandersen777 pushed a commit to intel/dffml that referenced this issue Mar 24, 2023
johnandersen777 pushed a commit to intel/dffml that referenced this issue Mar 24, 2023
johnandersen777 pushed a commit to intel/dffml that referenced this issue Mar 24, 2023
@johnandersen777
Copy link

johnandersen777 commented Mar 26, 2023

Looks like related work is happening over in CycloneDX as well, woohoo!

johnandersen777 pushed a commit to intel/dffml that referenced this issue Aug 14, 2024
…ke Form for OSS Projects OpenSSF Vuln Disclosures WG Issue

Related: ossf/wg-vulnerability-disclosures#94
johnandersen777 pushed a commit to intel/dffml that referenced this issue Aug 20, 2024
…ke Form for OSS Projects OpenSSF Vuln Disclosures WG Issue

Related: ossf/wg-vulnerability-disclosures#94
johnandersen777 pushed a commit to intel/dffml that referenced this issue Aug 20, 2024
…ke Form for OSS Projects OpenSSF Vuln Disclosures WG Issue

Related: ossf/wg-vulnerability-disclosures#94
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants