Security vulnerability reporting process

[dthaler]

We need to document what the inbound and outbound vulnerability management process is.

• Comparable from CCC: governance/security-response-policies.md at main · confidential-computing/governance (github.com)
• Microsoft comparable (less relevant for a foundation project): ebpf-for-windows/SECURITY.md at master · microsoft/ebpf-for-windows (github.com))
• LFx Security- https://docs.linuxfoundation.org/lfx/security/overview

There is work in progress linked at bottom of https://github.com/ossf/wg-vulnerability-disclosures

[dthaler]

Another comparable:

• https://xenproject.org/developers/security-policy/

[vmbrasseur]

I was looking into this and think it's something that we ought to be following the LFN policy for. Unfortunately, I can't locate an LFN security vulnerability disclosure policy.

@lilluzzi, could you please lend a hand here?

[lilluzzi]

@vmbrasseur LFN policy is to use LFx Security (see link above). Projects will be onboarding in the coming weeks. The security team is working on the rollout plan to communities.

[vmbrasseur]

@lilluzzi That's for scanning for vulnerabilities though, not reporting them, isn't it?

For instance, here's the template for a policy for the projects under CCC: security-response-policies.md

Does LFN have a policy for vulnerability disclosure for its projects?