Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Upon receiving notice of a potential security issue, a security team member will create a bug to track the investigation, this bug must be flagged as a security issue. Security flag should mean contents of ticket are not visible to non-security team members
  • Security team investigates the issue to confirm/deny the presence of a vulnerability within CloudStack
  • If the issue is determined not to be a vulnerability the reporter will be notified and the issue will be closed as invalid.
  • If issue is confirmed as a CloudStack vulnerability:
    • Security team notifies the Apache Security team (happens automatically - they're on security@ list)
    • Security team creates a Jira issue to document and track the issue, marking it private
    • Security team notifies release manager for target release version
    • Security team assigns a risk rating to the vulnerability using the Common Vulnerability Scoring System
    • Security team works with reporter to get a chance to investigate and mitigate the issue in a timely manner before public announcement. This should be between 15-30 days, depending on the severity and complexity of the issue
    • Security team works with Apache Security Team to reserve a CVE Identifier for future public release
    • Security team works with appropriate code maintainer(s) to create patch to mitigate the issue
    • Testing is conducted to verify patch mitigates issue and does not cause regression errors.
    • Once fix is confirmed, notify release manager to ensure the fix is in the appropriate release.
    • Security team creates a vulnerability announcement
    • Patch is committed to trunk and other supported branches that are affected.  The commit should not refer to a particular vulnerability.
    • A new CloudStack release or hotfix is prepared and tested, containing the new security patch.
      • Typically these are narrowly focused maintenance release and do not require formal release announcement from ACS.
    • Distributor coordination is implemented to enable a coordinated announcement.
    • Security team posts vulnerability announcement to...
      • CloudStack dev list
      • CloudStack users list
      • CloudStack Security alerts web page
      • The Bugtraq mailing list
    • After announcement, CHANGES and NEWS files need to be updated to reflect the vulnerability and fix. This must happen AFTER the announcement.
    • Also after announcement, modify the Jira ticket so that the issue is now publicly viewable.
  • After the vulnerability is addressed, the CloudStack community should review development processes to see how the community can minimize the chance of similar vulnerabilities being introduced in the future.

...