search

ossf / security-baseline

Apache License 2.0
3 stars 7 forks source link

Coordinated vulnerability reporting is undefined, and should we use CVD instead? #64

Open david-a-wheeler opened 1 week ago

david-a-wheeler commented 1 week ago

Current text:

  - id: OSPS-45
    maturity_level: 2
    category: Documentation
    criteria: |
      The project documentation MUST include a
      policy for coordinated vulnerability
      reporting, with a clear timeframe for
      response.
      Establish a process for reporting and
      addressing vulnerabilities in the project,
      ensuring that security issues are handled
      promptly and transparently.
    implementation: |
      Create a SECURITY.md file at the root of the
      directory, outlining the project's policy
      for coordinated vulnerability reporting.
      Include a method for reporting
      vulnerabilities. Set expectations for the
      how the project will respond and address
      reported issues.

However, there's no clear definition "coordinated vulnerability reporting". Also, we're focused on projects, which are generally receiving reports, they are not doing the reporting. I think we should use the term "coordinated vulnerability disclosure" (CVD) instead, and cite an authoritative definition with a link for more info.

The point is that the project will want reporters to privately give them vulnerability reports & time to fix, with coordination between the parties.

Also: Should we recommend that the time limit be no more than 90 days? If projects give themselves a year or 2, attackers will sometimes also find it and exploit it while the project fails to take action.

Quick aside: the best practices badge does not mandate this because there were projects that wanted full disclosure, that is, they didn't want to try to keep things secret. I don't think full disclosure is a good idea unless a project has already shown faithlessness in fixing vulnerabilities. I am sympathetic that, years ago, getting private reports was hard (GitHub didn't support it & encrypted email was too hard for most mortals). Things have changed for the better, so perhaps it's time to require this. I think it's worth proposing as a requirement.

SecurityCRob commented 5 days ago

I can try and find a canonical definition of CVD for us to cite. The projects should have a DISCLOSURE policy (typically documented in the security.md or like file). If they choose to use Full Disclosure, that's fine (we're not on the project, we don't get a vote there), but we should recommend CVD as the suggested norm.