Versions Compared

Old Version 2

changes.mady.by.user John Kinsella

Saved on

compared with

New Version 3

changes.mady.by.user John Kinsella

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Please note this is a draft and being actively updated.

...

If you believe you have discovered a potential security issue with CloudStack, please follow the procedure on the CloudStack Security Page (need to link this somewhere).

...

  • Upon receiving notice of a potential security issue, a remediation team member will create a bug to track the investigation, this bug must be flagged as a security issue. Security flag should mean contents of ticket are not visible to non-security team members
  • Remediation team investigates the issue to confirm/deny the presence of a vulnerability within CloudStack
  • If issue is confirmed as a CloudStack vulnerability:
    • Remediation team notifies the Apache Security team
    • Remediation team assigns a risk rating to the vulnerability using the Common Vulnerability Scoring System
    • Remediation team works with reporter to get a chance to investigate and mitigate the issue in a timely manner before public announcement. This should be between 15-30 days, depending on the severity and complexity of the issue
    • Remediation team works with Apache Security Team to reserve a CVE Identifier for future public release
    • Remediation team works with appropriate code maintainer(s) to create patch to mitigate the issue
    • Testing is conducted to verify patch mitigates issue and does not cause regression errors
    • Remediation team creates a vulnerability announcement
    • Patch is committed to trunk and other supported branches that are affected.
    • A new CloudStack release is prepared and tested, containing the new security patch.
    • Remediation team posts vulnerability announcement to...
      • CloudStack dev list
      • CloudStack users list
      • CloudStack Security alerts web page
      • The Bugtraq mailing list
    • After announcement, CHANGES and NEWS files need to be updated to reflect the vulnerability and fix. This must happen AFTER the announcement.
    • Also after announcement, modify the Jira ticket so that the issue is now publicly viewable.
  • After the vulnerability is addressed, the CloudStack community should review development processes to see how the community can minimize the chance of similar vulnerabilities being introduced in the future.

...

Potential security issues must be treated in a sensitive manner by all parties involved. Early release of vulnerability details can place large numbers of CloudStack installations at risk for compromise. The CloudStack community realizes that committers may be employed by companies who provide their customers with CloudStack products. It is understandable that these companies may be very interested to get advanced notification of security issues, but any breeches of sensitive information prior to an official announcement of the vulnerability and mitigation will not be tolerated. CloudStack committers participate as individuals, and their employers must understand that the committer's primary loyalty is to the communitywhen interacting with the project they must act in the best interests of the Apache Software Foundation. Further information can be found on the ASF's How it Works page.

The CloudStack PPMC is happy to work with vendors during the process of responding to a security response in the following manner:

  • Initial security information is only shared on a need-to-know basis outside the PPMC to verify the issue and work on mitigation.
  • It is expected that for committers who are employed by companies using CloudStack, it is likely the companies will learn about the vulnerability before the general public. What must be stressed is the company must strive to ensure the confidentiality of the issue before general release. Failure to do so may threaten the status of the employee/committer in the CloudStack community.
  • We value help of the remediation team to verify the presence of a security issue and work on it's mitigation on their CloudStack systems. As an issue is verified and mitigation is developed and tested, the remediation team will strive to communicate the latest information to all involved. For companies who have employees on the remediation team, this can allow them to prepare (not publish) announcements and patches to provide to their customers.
  • During the response procedure, the remediation team will strive to communicate their timeline for issue verification, remediation development, creation of the vulnerability announcement draft, and general release of the vulnerability notification to the community. This is done to allow both remediation team members and their employers to prepare their own announcements and patches for their customers.
  • The target result is an orchestrated, simultaneous announcement across CloudStack and vendors. It is expected that the CloudStack remediation team may announce shortly before vendors - we are ultimately responsible for CloudStack and to our community. The reverse, where vendors announce before CloudStack, is not acceptable.

...