Guidance comes from Guide to implementing a coordinated vulnerability disclosure process for open source projects.

Current implementation comes from the Security wiki space, mostly

The TSC asked on 30-SEP-2021 for some documentation of where we are, where we should be, and how we might get there.

Proposals:

  1. OSSF provides a sample security.md which I propose the TSC adopt, which would replace all existing SECURITY.md files across Hyperledger, as it is simple. The current security@hyperledger email alias would be directly used; currently that is redirected to a list which has members from several projects.
  2. Fabric uses HackerOne for intake as well. I propose expanding that program to include all graduated projects; this will require funding from the GB, as currently the only funds in HackerOne are DF from IBM.
  3. OSSF provides a GitHub app, AllStar. I propose to enable this for all GitHub orgs, with the provisio that it is only enforced for repos connected to a graduated project.
  4. I propose that proposal 3 is encouraged, but not required, for projects moving into the incubation state, regardless of inbound direction.
  • No labels

6 Comments

  1. Tracy Kuhrt

    For proposal #1, are you saying that the email_intake.md file will be used for SECURITY.md? There are three separate files in the link provided.

    1. Ry Jones

      Either the email_intake form, or github_security_policy.md.

  2. Tracy Kuhrt

    For Proposal #2, should we continue to use HackerOne? I have heard that the sort of issues that are reported via this mechanism are not usually valuable.

    1. Ry Jones

      There are two advantages to H1: it's easier to deal with people that aren't on GitHub, and it is well known.

      Most of the reports we get there are not useful.

  3. Tracy Kuhrt

    For proposal #3 (and by extension #4), we have had problems forcing tools on projects in the past. Why is this one different?

  4. Arnaud J Le Hors

    This doesn't say what should be done if anything about the Security wiki space and in particular the related Defect Response page which Fabric's SECURITY.md currrently points to.

    Do any of these pages need to be updated in light of the OSSF recommendation?