...
- Upon receiving notice of a potential security issue, a security team member will create a bug to track the investigation, this bug must be flagged as a security issue. Security flag should mean contents of ticket are not visible to non-security team members
- Security team investigates the issue to confirm/deny the presence of a vulnerability within CloudStack
- If the issue is determined not to be a vulnerability the reporter will be notified and the issue will be closed as invalid.
- If issue is confirmed as a CloudStack vulnerability:
- Security team notifies the Apache Security team (happens automatically - they're on security@ list)
- Security team creates a Jira issue to document and track the issue, marking it private
- Security team notifies release manager for target release version
- Security team assigns a risk rating to the vulnerability using the Common Vulnerability Scoring System
- Security team works with reporter to get a chance to investigate and mitigate the issue in a timely manner before public announcement. This should be between 15-30 days, depending on the severity and complexity of the issue
- Security team works with Apache Security Team to reserve a CVE Identifier for future public release
- Security team works with appropriate code maintainer(s) to create patch to mitigate the issue
- Testing is conducted to verify patch mitigates issue and does not cause regression errors.
- Once fix is confirmed, notify release manager to ensure the fix is in the appropriate release.
- Security team creates a vulnerability announcement
- Patch is committed to trunk and other supported branches that are affected. The commit should not refer to a particular vulnerability.
- A new CloudStack release or hotfix is prepared and tested, containing the new security patch.
- Typically these are narrowly focused maintenance release and do not require formal release announcement from ACS.
- Distributor coordination is implemented to enable a coordinated announcement.
- Security team posts vulnerability announcement to...
- CloudStack dev list
- CloudStack users list
- CloudStack Security alerts web page
- The Bugtraq mailing list
- After announcement, CHANGES and NEWS files need to be updated to reflect the vulnerability and fix. This must happen AFTER the announcement.
- Also after announcement, modify the Jira ticket so that the issue is now publicly viewable.
- After the vulnerability is addressed, the CloudStack community should review development processes to see how the community can minimize the chance of similar vulnerabilities being introduced in the future.
...
{"serverDuration": 102, "requestCorrelationId": "d3219b9616886508"}