223 lines
10 KiB
Markdown
223 lines
10 KiB
Markdown
# Security response team guidelines
|
||
|
||
These are the guidelines for OpenBMC security responders, including the security
|
||
response team, project owners, and community members who are responding to
|
||
problems reported by the [security vulnerability reporting process][].
|
||
|
||
Each project within OpenBMC works independently to resolve security
|
||
vulnerabilities. The security response team helps the maintainers, provides
|
||
consistency within the OpenBMC project, and helps to get CVEs assigned.
|
||
|
||
Here are the primary expectations:
|
||
|
||
- Keep problems private until announce.
|
||
- Work with diligence.
|
||
- Keep stakeholders informed.
|
||
|
||
Workflow highlights:
|
||
|
||
1. Handle new problem reports.
|
||
|
||
- Within a day, acknowledge you received the report. Note that reports are
|
||
archived in the mailing list.
|
||
- Communicate by opening the GitHub draft security advistory as soon as the
|
||
problem is known.
|
||
|
||
2. Analyze the problem and engage collaborators as needed (upstream, downstream,
|
||
and OpenBMC).
|
||
|
||
- Determine if the problem is new or known.
|
||
- Determine if the problem is in OpenBMC.
|
||
- If the problem is in a project that OpenBMC uses, re-route the problem to
|
||
that upstream project.
|
||
- Note that the problem may be in a customized version of OpenBMC but not
|
||
in OpenBMC itself.
|
||
- Determine which OpenBMC areas should address the problem.
|
||
- [Create the draft security advisory][] and populate its fields.
|
||
- The Ecosystem would normally be "OpenBMC" and the package name is
|
||
normally the repository.
|
||
- Please describe when the problem was introduced to help users learn if
|
||
they are affected. Use Git tags and commit IDs if known. It also may be
|
||
helpful to say what OpenBMC version is affected. For example, if the
|
||
problem in the original code through OpenBMC release 2.9, the affected
|
||
version is "<= 2.9". See [OpenBMC releases][].
|
||
- Use private channels, for example, email, GitHub draft security advistory,
|
||
or private direct messaging.
|
||
- Inform contacts this is private work as part of the OpenBMC security
|
||
response team. For example, link to these guidelines.
|
||
- Coordinate with all collaborators and keep them informed.
|
||
|
||
Considerations in the [CERT Guide to Coordinated Vulnerability Disclosure][] (SPECIAL
|
||
REPORT CMU/SEI-2017-SR-022) may guide the process.
|
||
|
||
Example collaborations:
|
||
|
||
- Submit the problem to another security response team, for example, the
|
||
[UEFI Security Response Team (USRT)][].
|
||
- Privately engage an OpenBMC maintainer or subject matter expert.
|
||
|
||
3. For OpenBMC problems.
|
||
1. Determine if this is a high severity problem. Example using CVSS metrics:
|
||
a remotely exploitable or low complexity attack that has high impact to
|
||
the BMC's confidentiality, integrity, or availability.
|
||
2. Avoid pre-announcing problems. Be especially careful with high severity
|
||
problems. When fixing the problem, use the contribution process but limit
|
||
the details in the issue or use a private channel to discuss.
|
||
3. Negotiate how the code review will proceed.
|
||
- Consider [contributing][] using a Gerrit [private change][] if everyone has
|
||
access to Gerrit.
|
||
- Consider using [Patch set][] emails to make reviews accessible to all stakeholders.
|
||
4. When agreed:
|
||
- Publish a security advisory to the affected OpenBMC repository.
|
||
- Make the Gerrit review publicly viewable.
|
||
- Publish the CVE in the CVE database.
|
||
5. Improve OpenBMC processes to avoid future problems.
|
||
|
||
Repository maintainer process steps: 1. Create a private gerrit code review and
|
||
oversee development of the fix. 2. Create a draft advisory under
|
||
github.com/openbmc/<REPO>/security/advisories. Please follow guidance in the
|
||
[OpenBMC Security Advisory Template][]. Add the openbmc security-response group and
|
||
other stakeholders to the advisory. 3. Review the security bulletin with stakeholders
|
||
to get it ready to publish. 4. Work with the SRT to identify CVEs. If you are unsure
|
||
what counts as a vulnerability, please consult with the SRT. For example, independent
|
||
bugs should have separate CVEs. A security advisory can reference multiple CVEs.
|
||
When the CVE is known, add it to the security advisory, and reference it in the commit
|
||
message, stating how the fix relates to the CVE. For example: This fixes CVE-yyyy-nnnnn.
|
||
Doing so helps downstream security responders. If the commit is a partial fix, please
|
||
explain that and provide references to the other parts of the fix. 5. If stakeholders
|
||
negotiate for coordinated disclosure, plan to release the fix and the security advisory
|
||
on the negotiated day. 6. When the code fix and the advisory are both ready (subject
|
||
to coordinated disclosure), please merge the fixes (and make any private review be
|
||
public) publish the security advisory, and email the security-response team.
|
||
|
||
[security vulnerability reporting process]: ./obmc-security-response-team.md
|
||
[cvss metrics]: https://www.first.org/cvss/calculator/3.0
|
||
[uefi security response team (usrt)]: https://uefi.org/security
|
||
[cert guide to coordinated vulnerability disclosure]:
|
||
https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf
|
||
[contributing]:
|
||
https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#submitting-changes-via-gerrit-server
|
||
[openbmc releases]:
|
||
https://github.com/openbmc/docs/blob/master/release/release-notes.md
|
||
[private change]:
|
||
https://gerrit-review.googlesource.com/Documentation/intro-user.html#private-changes
|
||
[patch set]: https://en.wikipedia.org/wiki/Patch_(Unix)
|
||
[create the draft security advisory]:
|
||
https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory
|
||
[openbmc security advisory template]: obmc-github-security-advisory-template.md
|
||
|
||
## Template: Initial response to the problem submitter
|
||
|
||
The OpenBMC security response team has received the problem.
|
||
|
||
- Thank you for reporting this.
|
||
- Share preliminary results of the analysis.
|
||
- Share preliminary OpenBMC plans or that we are analyzing the problem.
|
||
- Set expectations for follow-up communications.
|
||
|
||
## Template: OpenBMC Security Advisory
|
||
|
||
```
|
||
OpenBMC Security Advisory
|
||
Title: ...
|
||
|
||
...summary: include CVEs, releases affected, etc....
|
||
|
||
The CVSS score for these vulnerabilities is "...", with temporal score
|
||
"...", with the following notes:
|
||
https://www.first.org/cvss/calculator/3.0
|
||
|
||
The fix is in the https://github.com/openbmc/... repository as git
|
||
commit ID ....
|
||
|
||
For more information, see OpenBMC contact information at
|
||
https://github.com/openbmc/openbmc file README.md.
|
||
|
||
Credit for finding these problems: ...
|
||
```
|
||
|
||
## Template: Security Advisory notice
|
||
|
||
When the Security Advisory is created, inform the OpenBMC community by sending
|
||
email like this:
|
||
|
||
```
|
||
TO: openbmc-security@lists.ozlabs.org, openbmc@lists.ozlabs.org
|
||
SUBJECT: [Security Advisory] ${subject}
|
||
|
||
The OpenBMC Security Response team has released an OpenBMC Security Advisory:
|
||
${url}
|
||
|
||
An OpenBMC Security Advisory explains a security vulnerability, its severity,
|
||
and how to protect systems that are built on OpenBMC. For more information
|
||
about OpenBMC Security Response, see:
|
||
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md
|
||
```
|
||
|
||
## Reference
|
||
|
||
Some of these guidelines were collected from:
|
||
|
||
- https://bestpractices.coreinfrastructure.org/en/projects/34
|
||
- https://www.kernel.org/doc/html/v4.16/admin-guide/security-bugs.html
|
||
- https://oss-security.openwall.org/wiki/mailing-lists/distros
|
||
- [ISO/IEC 29147:2018 vulnerability disclosure](https://www.iso.org/standard/72311.html)
|
||
|
||
## Team composition and email maintenance
|
||
|
||
The security response team (SRT) is controlled by the OpenBMC Technical Steering
|
||
Committee, including membership on the team. General considerations for SRT
|
||
membership:
|
||
|
||
- Although individuals join the SRT, it is really organizations which join as
|
||
represented by their SRT members. The SRT members are expected to:
|
||
- Participate in their organization's SRT.
|
||
- Designate backup OpenBMC SRT members.
|
||
- Share OpenBMC security vulnerability information within their organization
|
||
with the same care as stated in this document.
|
||
- Membership is intended for organizations which have a vested interest in
|
||
OpenBMC security response. Here are some examples to consider:
|
||
- Organizations which have products or services built on OpenBMC which are
|
||
publicly available and disclose security bugs to their users. This includes
|
||
systems directly built on OpenBMC, and larger systems such as data centers.
|
||
- Organizations which focus on BMC security research or security response.
|
||
- Evaluation of an organization may be based on its members' OpenBMC community
|
||
roles, technical skills, and expertise responding to security incidents.
|
||
- Membership should not be granted without compelling reason. The intention is
|
||
to avoid premature disclosure of security vulnerabilities by limiting
|
||
membership to those with vested interest.
|
||
|
||
The security response team uses the `openbmc-security at lists.ozlabs.org`
|
||
private email list as a channel for confidential communication, so its
|
||
membership reflects the composition of the security response team. The list
|
||
membership should be reviewed periodically and can be managed from
|
||
`https://lists.ozlabs.org/listinfo/openbmc-security`.
|
||
|
||
The email list subscribers should be reminded periodically to protect access to
|
||
the emails from the list because of the sensitive information they contain.
|
||
|
||
The email list membership is not intended to be secret. For example, we can
|
||
discuss it a public forum. However, no effort is made to make the list's
|
||
membership public.
|
||
|
||
The email list identification is
|
||
`for privately reporting OpenBMC security vulnerabilities` with description:
|
||
This email list is for privately reporting OpenBMC security vulnerabilities.
|
||
List membership is limited to the OpenBMC security response team. For more
|
||
information, see
|
||
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
|
||
|
||
Sample response for denying list membership:
|
||
|
||
```
|
||
Thanks for your interest in OpenBMC security. Subscriptions to the
|
||
openbmc-security@lists.ozlabs.org email list are by invitation only
|
||
and are typically extended only to security response team members.
|
||
For more information, see https://github.com/openbmc/docs/security or
|
||
attend a security working group meeting:
|
||
https://github.com/openbmc/openbmc/wiki/Security-working-group.
|
||
|
||
Yours truly,
|
||
OpenBMC security response team
|
||
```
|