Have project designated contact points as security mavens, helps in auditing.
Audits serves as a way to prove that the project took right measures against a potential risk.
CVEs will be published in open at the end of 90 days, unless requested for an extension explicitly.
During the discussions with the 2022 TSC, there was concern about mandating vulnerability
disclosure within 90 days.
Of note, Hyperledger documents a responsible disclosure policy in Security Team Policies as:
Responsible Disclosure
48 hours to respond to reporter acknowledging the report.
1 week to triage, report, and coordinate with the affected project maintainers to plan the fix of the bug.
90 days to fix and release a fix or disclose the security bug.
Any "critical" errors shall be assigned a CVE number and disclosed through the formal CVE system.
Given this discrepancy in what is documented and what is understood, it seems that we need to revisit this to ensure that all Hyperledger projects understand their responsibilities when it comes to vulnerability disclosure and that we follow consistent practices across the different Hyperledger projects.
Revisit the responsible disclosure documented policy and update the default template for vulnerability disclosure processes for Hyperledger projects to ensure visibility and consistency across Hyperledger projects.
List of deliverables or work products
[ ] Default template for vulnerability disclosure processes for Hyperledger projects
Time to complete (no more than 6 months)
TBD
Leader
Arun S M
Initial participant list
Venkatraman Ramakrishna (Rama)
Arnaud Le Hors
Hart Montgomery. I'd like to make this one a priority and can talk about it more. There are good opportunities for collaboration with the OpenSSF.
Introduction/background material
The Security Task force provided recommendations to the 2022 TSC. One of those recommendations had to do with vulnerability disclosures.
During the discussions with the 2022 TSC, there was concern about mandating vulnerability disclosure within 90 days.
Of note, Hyperledger documents a responsible disclosure policy in Security Team Policies as:
Given this discrepancy in what is documented and what is understood, it seems that we need to revisit this to ensure that all Hyperledger projects understand their responsibilities when it comes to vulnerability disclosure and that we follow consistent practices across the different Hyperledger projects.
Other resources:
Task to be completed
Revisit the responsible disclosure documented policy and update the default template for vulnerability disclosure processes for Hyperledger projects to ensure visibility and consistency across Hyperledger projects.
List of deliverables or work products
Time to complete (no more than 6 months)
TBD
Leader
Arun S M
Initial participant list