Guidance comes from Guide to implementing a coordinated vulnerability disclosure process for open source projects.
Current implementation comes from the Security wiki space, mostly
The TSC asked on 30-SEP-2021 for some documentation of where we are, where we should be, and how we might get there.
Proposals:
- OSSF provides a sample security.md which I propose the TSC adopt, which would replace all existing SECURITY.md files across Hyperledger, as it is simple. The current security@hyperledger email alias would be directly used; currently that is redirected to a list which has members from several projects.
- Fabric uses HackerOne for intake as well. I propose expanding that program to include all graduated projects; this will require funding from the GB, as currently the only funds in HackerOne are DF from IBM.
- OSSF provides a GitHub app, AllStar. I propose to enable this for all GitHub orgs, with the provisio that it is only enforced for repos connected to a graduated project.
- I propose that proposal 3 is encouraged, but not required, for projects moving into the incubation state, regardless of inbound direction.
6 Comments
Tracy Kuhrt
For proposal #1, are you saying that the email_intake.md file will be used for SECURITY.md? There are three separate files in the link provided.
Ry Jones
Either the email_intake form, or github_security_policy.md.
Tracy Kuhrt
For Proposal #2, should we continue to use HackerOne? I have heard that the sort of issues that are reported via this mechanism are not usually valuable.
Ry Jones
There are two advantages to H1: it's easier to deal with people that aren't on GitHub, and it is well known.
Most of the reports we get there are not useful.
Tracy Kuhrt
For proposal #3 (and by extension #4), we have had problems forcing tools on projects in the past. Why is this one different?
Arnaud J Le Hors
This doesn't say what should be done if anything about the Security wiki space and in particular the related Defect Response page which Fabric's SECURITY.md currrently points to.
Do any of these pages need to be updated in light of the OSSF recommendation?