public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"lersek@redhat.com" <lersek@redhat.com>
Cc: "Zimmer, Vincent" <vincent.zimmer@intel.com>,
	"Cetola, Stephano" <stephano.cetola@intel.com>,
	"Gao, Liming" <liming.gao@intel.com>
Subject: Re: [edk2-devel] [RFC] Propose update of security bug handling process
Date: Mon, 15 Apr 2019 05:36:22 +0000	[thread overview]
Message-ID: <D827630B58408649ACB04F44C5100036258E1319@SHSMSX107.ccr.corp.intel.com> (raw)
In-Reply-To: <f2b2212d-b6e7-0adc-1600-305807c0ee6a@redhat.com>

Laszlo,


> -----Original Message-----
> From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of
> Laszlo Ersek
> Sent: Friday, April 12, 2019 8:52 PM
> To: Wang, Jian J <jian.j.wang@intel.com>
> Cc: devel@edk2.groups.io; Zimmer, Vincent <vincent.zimmer@intel.com>;
> Cetola, Stephano <stephano.cetola@intel.com>; Gao, Liming
> <liming.gao@intel.com>
> Subject: Re: [edk2-devel] [RFC] Propose update of security bug handling process
> 
> (Dropping bugs@edk2.groups.io <bugs@edk2.groups.io> from the address
> list, as that should be a list to receive automated Bugzilla email.)
> 
> On 04/12/19 10:43, Wang, Jian J wrote:
> > Hi,
> >
> > Currently, we generally follow below process to handle security bugs.
> > But there're no document to describe the detailed working flow. There're
> > also discussions on lacking of important information, poor issue description
> > and no timely notification on update, etc.
> >
> >        "0 - New Security Bug"
> >   -> "1 - Triage"
> >   -> "2 - Mitigation"
> >   -> "3 - Embargo"
> >   -> "4 - Disclosure"
> >   -> "5 - Exit";
> >
> > I have a proposal at following page to elaborate the process and try to address
> > all problems reported so far. Following content is for discussion only. Once the
> > process is finalized, it will be moved to official edk2 wiki page.
> >
> > https://github.com/jwang36/tianocore.github.io/wiki/Proposal-of-security-
> issue-process
> >
> > Any opinions and suggestions are welcomed.
> 
> Thanks for working on this!
> 
> I've skimmed the diagrams. I have one suggestion and one request for
> clarification.
> 
> 
> - Suggestion: a CVE number should be requested (if appropriate) as soon
> as the CVSS score (i.e. the nature of the vulnerability) has been
> calculated, and it has been determined whether platforms in practice
> (both physical and virtual) are affected.
> 
> This is important because vendors should have a common (cross-vendor)
> reference for tracking the issue even in their own internal systems, and
> this reference should be available to all vendors internally as soon as
> upstream determines the issue has security impact.
> 
> Additionally, as soon as members begin collaborating on actual patches,
> the patches should carry the CVE number in the subject line(s).
> 

No strong opinion. If no objection, let's do as you suggested.

> 
> - Request for clarification: the Embargo diagram should clarify that
> vendors are *forbidden* from shipping fixes in their own products,
> regardless of format, until the embargo is lifted. The point of an
> embargo is to release/ship the fixes all at once, across all vendors.
> 
> It's OK to wait for a while between "3.5 Announce Embargo End", and "4.3
> Open BZ To Public" / "4.4 Open source the patch". That's the interval
> when vendors would release their fixes all together.
> 
> It's *not* OK, for any vendor, to ship their own fixes before "3.5
> Announce Embargo End".
> 
> Yes, this means that some vendors will have to wait on other vendors,
> and some vendors will have to work more hastily than they are used to,
> for the sake of other vendors. This is what coordinated/responsible
> disclosure means, and it aims to benefit the cumulative user base.

I think it's impractical to ask all vendors to release the fixes at the same
time. The longer a security issue exists in a product, the more damage
may be caused potentially. I don't think any vendor want to risk that. But
it's reasonable and feasible to ask vendors not to expose the issue details
in the embargo period.

So my understanding is that embargo is for preparing the security issue
information disclosure purpose, during which all vendors should integrate
the mitigation solution into their products. Actually, once someone else
find the same issue and open it to public in the period, we should end the
embargo immediately. This step is missing in the work flow chart.

Vincent, please correct me if anything wrong here.

Regards,
Jian
> 
> Thanks
> Laszlo
> 
> 


  reply	other threads:[~2019-04-15  5:36 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-12  8:43 [RFC] Propose update of security bug handling process Wang, Jian J
2019-04-12 12:51 ` Laszlo Ersek
2019-04-15  5:36   ` Wang, Jian J [this message]
2019-04-15 17:04     ` [edk2-devel] " Laszlo Ersek
2019-04-16  6:06       ` Wang, Jian J
2019-04-16  6:33         ` Andrew Fish
2019-04-16  0:03     ` Vincent Zimmer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=D827630B58408649ACB04F44C5100036258E1319@SHSMSX107.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox