search

cncf / foundation

☁️♮🏛 This repo contains several documents related to the operation of the CNCF. File non-technical issues related to CNCF here.
https://cncf.io
Other
564 stars 565 forks source link

Updating Export Control Guidance #290

Open caniszczyk opened 2 years ago

caniszczyk commented 2 years ago

The Kubernetes SC has requested that the LF look at updating our guidance on export control in relation to the kubernetes security disclosure process and security disclosure in particular:

https://www.linuxfoundation.org/tools/understanding-us-export-controls-with-open-source-projects/

The goal output here would be an update to the above document based on any input through the exercise.

dims commented 2 years ago

We request the LF Legal team to vet the current SRC process [1] and update the LF/CNCF guidance, specifically, we want to know if the process SRC documented has any implications for folks in companies that are in the Export Administration Regulations Entity List. Currently these folks may be:

Case 1: A reporter of security related issues using the security mailing list requests status on their reported issue. Project investigation has subsequently led to a ripple of additional security vulnerability content in additional project(s), which are not yet public and may never fully be public. Is replying with detailed status (eg: the other project, other CVE code files/lines, proof-of-concept exploit) an export of a controlled class of information to a controlled entity?

Case 2: A member of the private distributors list [2] who are under embargo, receives detailed pre-disclosure of a new CVE. With controlled entities on the private distributors list is the SRC exposed to claims of an export of a controlled class of information to a controlled entity? [3].

Case 3: A reporter is privately collaborating with SRC in private conversation around investigation, test code, proof-of-concept experimentation which is never subsequently publicly shared on the internet. Does this conversation represent SRC export of a controlled class of information to a controlled entity?

Thanks, Kubernetes Steering

[1] https://github.com/kubernetes/committee-security-response/blob/main/security-release-process.md [2] https://github.com/kubernetes/committee-security-response/blob/main/private-distributors-list.md [3] https://www.linuxfoundation.org/blog/linux-foundation-statement-on-huawei-entity-list-ruling/

dims commented 2 years ago

Any update on this @caniszczyk ?

caniszczyk commented 2 years ago

Still a WIP, a new draft is with our legal folks, needs a bit more time.

On Fri, Mar 25, 2022 at 6:28 PM Davanum Srinivas @.***> wrote:

Any update on this @caniszczyk https://github.com/caniszczyk ?

— Reply to this email directly, view it on GitHub https://github.com/cncf/foundation/issues/290#issuecomment-1079246116, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIOIL6H6W4B56ILUAYDVBXZTJANCNFSM5M3SZDTQ . You are receiving this because you were mentioned.Message ID: @.***>

-- Cheers,

Chris Aniszczyk https://aniszczyk.org

dims commented 2 years ago

UPDATE: @mkdolan has had an initial discussion with some folks from the Kubernetes Security Response Team today and walked through processes that has been documented by SRC. Next step is to set up a call with Mishi Choudhary hopefully the week of April 25th.