How to handle security vulnerabilities (was: OpenBMC security workgroup status)

Andrew Jeffery andrew at aj.id.au
Fri Jul 13 16:56:37 AEST 2018


On Fri, 13 Jul 2018, at 07:49, Joseph Reynolds wrote:
> > What's the short-term strategy for handling [security] vulnerability
> > reports received in the gap between now and getting some formal
> > process in place? 
> We don't have a strategy.  Let's discuss it here.
>  
> Officially (https://github.com/openbmc/openbmc/ section "Bug Reporting")
> issues are managed on GitHub. 
>
> Unofficially, Brad volunteered to accept one batch of security
> vulnerability reports and distribute them, presumably to the OpenBMC TSC
> members (https://github.com/openbmc/docs section "Technical Steering
> Committee ") or their delegates.  I assume they would privately contact
> a trusted OpenBMC contributor who could address the problem. 
>
> We could adapt the Linux model
> (https://www.kernel.org/doc/html/v4.16/admin-guide/security-bugs.html),
> although I am still looking for information on what the Linux security
> team does with the bug report.  For example, how security group members
> track and discuss problems among themselves, how they pull in additional
> resources to fix or mitigate the problem, and how they inform downstream
> distros before announcing the problem, etc. 

I thought the documention described most of this? security at kernel.org is a private list, so discussions can happen there freely. With respect to informing downstream distros, as mentioned that's done via the linux-distros at vs.openwall.org list. As for how they pull in additional resources to fix or mitigate the problem, that's going to depend on the affected parties. No-one can order anyone to fix a particular problem, but the developers/maintainers/vendors involved have skin in the game so should be motivated to fix the issue.

>
> I think the first step for the OpenBMC team is to establish an email
> address (like security at openbmc.org), subscribe only trusted people to
> that email list, and update the docs to explain that you should email
> the security team for security questions, and use issues for everything
> else. 

Sounds good to me. Who can sort out security@? Brad? I'm sure we could sort out list hosting on ozlabs.org if necessary (like we use for this list).

> Presumably, the security team would communicate privately among
> themselves and the submitter to assess the situation, and contact
> OpenBMC community members privately to address the problem. 
> This would be an easy step to take, and would move the team in the right
> direction.  What do you think?

Sounds good enough for the moment!

Andrew


More information about the openbmc mailing list