Create SECURITY.md and a security policy for Jaeger

[caniszczyk]

See https://github.com/open-policy-agent/opa/blob/master/SECURITY.md as an example

[jpkrohling]

Some comments about OPA's security document:

1. We do not have (yet) a mailing list for security disclosures. We currently request people to send an encrypted message to the regular mailing list using our published key.
2. I wouldn't create the expectation that we'll provide the first feedback within 24h, especially if it's done during the weekend. While it makes sense for OPA, Jaeger has probably a lower overall criticality when it comes to security vulnerabilities
3. The remaining of the doc seems reasonable and we can try to follow their process once we receive our first disclosure. I think we should only make it clearer that our process is theoretical so far, as there hasn't been a disclosure yet.

The next question is: should we have the same process for other repositories, or should each repository have their own policy? Two examples to have in mind:

1. Apache Thrift vulnerability that affected the Java client (jaegertracing/jaeger-client-java#669)
2. The case where the entrypoint for the Jaeger Operator would adjust the passwd when it first starts

Both are smaller issues that probably don't deserve this whole process, even though they are technically vulnerabilities.

[yurishkuro]

Is mailing list an acceptable practice? It seems much easier to deal with than our current process of encrypting the message (and I don't believe all maintainers have access to the private key to decrypt).

I think it's up to us to define the SLAs for disclosure response. Given lower criticality of Jaeger, we could choose 1w instead of 24hr.

For the other repositories, I would create SECURITY.md in the which points to the main repo's SECURITY.md. If something is reported for non-primary repository, we can triage.

[jpkrohling]

I don't believe all maintainers have access to the private key to decrypt

I'm quite sure all maintainers tested the ability to decrypt messages when the key was created, but you are right, perhaps not all current maintainers have access to the decryption key. I would still give the option to send encrypted messages, as not everybody is comfortable in submitting security reports in plain text, especially given that quite a good number of servers still downgrade connections to plain text.

@jaegertracing/jaeger-maintainers, please let me know whether you need me to send you the private key. By default, I'll encrypt it based on your GitHub key (like: https://github.com/jpkrohling.keys)

I agree with you on the other points.

[oalbacha]

Hi, Can I help you with this issue? I am coming through the Outreachy program

[jpkrohling]

Sorry, this is done already and this issue should have been closed. If you can't find another suitable issue to work on, let me know.

[oalbacha]

Hi Juraci, Thank you for your response, Please help me to find an issue good first issues and documentation issues are welcome.

On Wed, 21 Oct 2020 at 4:58 pm, Juraci Paixão Kröhling < notifications@github.com> wrote:

Sorry, this is done already and this issue should have been closed. If you can't find another suitable issue to work on, let me know.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jaegertracing/jaeger/issues/2136#issuecomment-713550285, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEBXWBIRFEFI5O6P2HAL37DSL3LI7ANCNFSM4LSFGJKA .

-- Regards, Omar

[jpkrohling]

I'll ping you directly on the proposed issue(s).