Fwd: Red Hat extends support for the CVE Program!
Joseph Reynolds
jrey at linux.ibm.com
Tue Aug 22 01:46:46 AEST 2023
To: OpenBMC community email list
To: OpenBMC Technical Steering Committee (TSC)
To: OpenBMC Technical Oversight Forum (TOF)
To: OpenBMC Security Response Team
To: OpenBMC CNA members
Does the OpenBMC project want to use RedHat as their root CNA?
The RedHat CVE Numbering Authority (CNA) is extending an invitation to
all open source projects, including OpenBMC, to use RedHat as their root
CNA. Does the OpenBMC project want to use RedHat as their root CNA?
This email is intended to forward this question and relevant background
information to the TSC, TOF, and security areas, not to discuss which
alternatives to choose.
This email is not confidential (the attached email is not confidential).
Please forward this to the OpenBMC Technical Steering Committee (TSC)
and to the OpenBMC Technical Oversight Forum (TOF).
Background:
CVEs are used to identify security vulnerabilities.
https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
https://www.cve.org/ProgramOrganization/CNAs
The OpenBMC project has a security response team. It is intended to
give the project time to address security problems before public disclosure.
Reference:
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md
The OpenBMC project has a continuing need to issue CVEs. There are
several options:
1. The OpenBMC security response team formed a CNA (specifically James
Mihm, Joseph Reynolds, Dhananjay Phadke were trained by Mitre in the CNA
program). There are several CVEs in progress (CVEs reserved but not
published).
https://www.cve.org/Media/News/item/news/2022/1/11/The-OpenBMC-Project-Added-as
2. GitHub can create CVEs for us via each source repo's "Security" tab.
Some OpenBMC project repos have created CVEs that way.
For example, see
https://github.com/openbmc/bmcweb/security/advisories?state=published
3. RedHat CNA is offering to include OpenBMC. They offer tools and
support for CVE tasks. See the attached "CVE Program FAQ" PDF or see:
https://www.cve.org/Media/News/item/blog/2023/01/10/Why-Red-Hat-Became-Root
4. In addition, organizations consuming OpenBMC will continue to have
their own security response teams. They can write CVEs for their own
products (from any source, including vulnerabilities which originate in
OpenBMC), but are not allowed to write OpenBMC-scoped CVEs. (For
security vulnerabilities which originate in the OpenBMC project itself,
ideally OpenBMC would write a CVE and that CVE would be referenced by
everyone else.)
For example, the IBM PSIRT team has a CNA for its own products.
Reference:
https://www.ibm.com/support/pages/product-security-incident-response-psirt-information
Full disclosure: I work for IBM, and IBM owns RedHat.
- joseph
-------- Forwarded Message --------
Subject: [Openbmc-security-CONFIDENTIAL] Red Hat extends support for
the CVE Program!
Date: Tue, 15 Aug 2023 10:35:36 +0530
From: Yogesh Mittal <ymittal at redhat.com>
CC: Jeremy West <jwest at redhat.com>, Christina Freeman
<chfreema at redhat.com>, rootcna-coordination at redhat.com, Yoav Buenos
<ybuenos at redhat.com>, Pedro Sampaio <psampaio at redhat.com>
This is CONFIDENTIAL. See:
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20230821/a25d4c6e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE Program FAQ_OSS CNA.pdf
Type: application/pdf
Size: 52967 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20230821/a25d4c6e/attachment-0001.pdf>
-------------- next part --------------
--
Openbmc-security mailing list
Openbmc-security at lists.ozlabs.org
https://lists.ozlabs.org/listinfo/openbmc-security
More information about the openbmc
mailing list