[For Review]: Open Source Security Foundation Vulnerability Disclosure Policy

[JLLeitschuh]

The Vulnerability Disclosure WG has developed a proposal for an OpenSSF Vulnerability Disclosure Policy. This policy is for outgoing vulnerabilities, not incoming vulnerabilities. This is particularly relevant to the Alpha Omega project as it defines the policy under which vulnerabilities A-O finds are disclosed to maintainers.

At this time we are requesting both TAC and LF legal review of the policy. We are seeking approval to make this an official OpenSSF policy. This policy will define how all OpenSSF discovered vulnerabilities are disclosed to maintainers.

https://docs.google.com/document/d/1W2Xfw9i5pSA-0XbIw3a4kcW2o4PByxDbjcnWe9mlQwA/edit

Relevant Vulnerability Disclosures WG issue: https://github.com/ossf/wg-vulnerability-disclosures/issues/122

I'd like to also get on the agenda for the soonest TAC meeting to discuss this proposal.

[SecurityCRob]

This has been actively collaborated with the Vuln Disc WG. Jonathan has sought a lot of input to date to get us here.

[dlorenc]

+1 on this, it's a great start!

[JLLeitschuh]

Now that this policy has been ratified by the TAC, where should it live? @SecurityCRob has proposed within this repository directly. Do others have other suggestions or opinions?

[steiza]

I think it'd be nice to make it available from openssf.org.

Where exactly, I'm not quite sure. Most of the existing policies (privacy policy, terms of use, antitrust policy) point back at Linux Foundation pages.

Maybe either as an FAQ item on https://openssf.org/about/, or as its own page linked off the "About" menu in the header?

[di]

Maybe at https://openssf.org/policies/vulnerability-disclosure-policy/?

[lehors]

Wouldn't it make sense to put it under https://openssf.org/resources?

[steiza]

I'm not sure if the TAC needs to own the decision of where exactly on the website this lands (maybe @JLLeitschuh can use his best judgement and work with LF staff on that) - but it at least sounds like we're aligned that the vuln disclosure policy should live somewhere on https://openssf.org/?

[JLLeitschuh]

There are two questions at play here I think. Where does the source live, and where is the published version hosted?

For the source version, which is what I'm more concerned about in the short term, I'm wondering what repository it should live in under the OSSF GitHub org.

[lehors]

Shouldn't the source be in the Vulnerability Disclosures WG repo?

[JLLeitschuh]

Shouldn't the source be in the Vulnerability Disclosures WG repo?

Maybe? The counter argument to this is that, since this is an organization-level-policy, that has been ratified by the TAC, is that still the appropriate location for it to live?

[steiza]

or the source version, which is what I'm more concerned about in the short term, I'm wondering what repository it should live in under the OSSF GitHub org.

Ah, thanks for this clarification!

I don't think this belongs in the TAC repo, just because the TAC reviewed / approved it. There's lots of stuff the TAC reviews / approves that aren't in the TAC repo.

I think https://github.com/ossf/foundation makes the most sense. In fact, that's the current home of the OpenSSF Content Policy.

[JLLeitschuh]

Any arguments for https://github.com/ossf/.github vs https://github.com/ossf/foundation ? Should all of the foundation docs be moved to the .github repo? Should the .github just be a mirror of the https://github.com/ossf/foundation repository?

I ask because, I presume, the SECURITY.md policy, when created will be published in the https://github.com/ossf/.github right? Shouldn't other policy docs live there then as well?

[ljharb]

Yes, community health files all belong in the org's .github repo so that they can be the defaults for every repo.

However, things that aren't supported by github can go anywhere - although that's a reasonable place to put them.

[lehors]

Shouldn't the source be in the Vulnerability Disclosures WG repo?

Maybe? The counter argument to this is that, since this is an organization-level-policy, that has been ratified by the TAC, is that still the appropriate location for it to live?

For what it's worth I think it would have made sense for it to go through the Vulnerability Disclosures WG first, before being brought up to the TAC. So I still think it would make sense to have the source/model file there. The actual policy the TAC approved and we want to advertise can be on openssf.org possibly as link pointing to the foundation repo or https://github.com/ossf/.github if that makes more sense.

[JLLeitschuh]

For what it's worth I think it would have made sense for it to go through the Vulnerability Disclosures WG first, before being brought up to the TAC.

This is the process that was followed

[lehors]

For what it's worth I think it would have made sense for it to go through the Vulnerability Disclosures WG first, before being brought up to the TAC.

This is the process that was followed

Oh right, I took part in it. I should know! I'm getting old... Ok but so to me, again, this primarily belongs to that WG so that's where it should be stored. This is the WG that where revisions would be discussed, right?

[znewman01]

Was that supposed to be @steiza assigned instead of me?

[bobcallaway]

Was that supposed to be @steiza assigned instead of me?

yup

[hythloda]

about

Vul Disc

[hythloda]

Please let me know if anything needs changing on the website. I have direct access so it is very easy to change.

[SecurityCRob]

Derp. Sorry about that!

[steiza]

Website content looks great; thanks @hythloda!

In terms of what repository this policy should live in, I still think https://github.com/ossf/foundation makes the most sense.

Really, the only purpose of https://github.com/ossf/.github should be for the public README on https://github.com/ossf. If we want to have a template repository, we could, but that should probably be separate from ossf/.github. But I'm also not sure that we should have policies in a template repository, unless we anticipate individual repos having their own versions of a policy.

If the policy is OpenSSF wide, it seems like it should live somewhere like https://github.com/ossf/foundation.

[hythloda]

We like? https://github.com/ossf/foundation/pull/31

[SecurityCRob]

@bobcallaway @AevaOnline @lehors @dlorenc please weigh in on your thoughts on placement for this so we can close this.

[lehors]

I feel like the main policy should go in the foundation repo and the template in the Vuln WG repo. But as I said on https://github.com/ossf/foundation/pull/31 "it seems that this is turning into a bikeshedding topic so feel free to ignore my preference if that helps getting to closure." :-)

[bobcallaway]

+1, we've spent more time talking about it instead of just merging it

On Tue, Jun 27, 2023 at 9:18 AM Arnaud J Le Hors @.***> wrote:

I feel like the main policy should go in the foundation repo and the template in the Vuln WG repo. But as I said on ossf/foundation#31 https://github.com/ossf/foundation/pull/31 "it seems that this is turning into a bikeshedding topic so feel free to ignore my preference if that helps getting to closure." :-)

— Reply to this email directly, view it on GitHub https://github.com/ossf/tac/issues/149#issuecomment-1609492262, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAVWTJJCXAZTCQBIQGLPPN3XNLMTXANCNFSM6AAAAAAWMEKDQQ . You are receiving this because you were mentioned.Message ID: @.***>

[SecurityCRob]

@JLLeitschuh please follow Arnaud's suggestion and get the template located within the vuln wg's repo, and we'll post the text up at the foundation level, as per https://github.com/ossf/foundation/pull/31 then we can close this out.

[david-a-wheeler]

Here's a quick clarification to prevent confusion:

This issue is only for an outgoing vulnerability disclosure policy.

The Vulnerability disclosures WG has ALSO separately drafted an INCOMING vulnerability disclosure policy, that is, on how to report vulnerabilities to the OpenSSF (and how the OpenSSF should handle them). You can see the discussion & content of the draft INCOMING vulnerability disclosure policy here: https://github.com/ossf/wg-vulnerability-disclosures/issues/128. I'd like to see that work eventually come to fruition, but it's separate & don't want them confused with each other :-).

[SecurityCRob]

@hythloda are we good to close this? the link exists on the foundation webpage, correct?