EdgeX Foundry takes security threats and issues seriously.
Reporting A Security Issue
This policy was approved by the TSC on 5/20/2019.
The EdgeX Foundry project takes security threats and issues seriously. In an attempt to address and handle security issues, the EdgeX community (at the hands of the Security WG) will put the following in place for the Edinburgh release:
- Establish a small (3-4 member) Security Issue Review (SIR) Team to look at any newly identified security related issue that comes to the project’s attention. This team will be made up of the following: the Security WG chairperson, at least one other TSC member, and at least one person from the community with a security and threat assessment background. The SIR Team and the project will address the issue per the Response Process outlined below.
- The SIR Team will be chosen each year at the time of the EdgeX TSC voting. [Allowing for this to be by volunteerism, vote, or selection]
- The TSC will approve of the SIR Team members.
- The Security WG chairperson will appoint replacements in the event that any member cannot complete their year of service.
- Establish a security mailing address (email@example.com) to allow the user community a means to report security issues to the project. Mail from this address will be automatically forward to the SIR Team. In the future, a public/private key system could be established to encrypt the data in the email to more securely pass the potential vulnerability to the SIR Team.
- Establish a security landing page to outline the following (this page should be reachable via the EdgeX Web site home page):
- How to report a security issue or bug in EdgeX, which will include instructions for emailing the special security email address.
- A list of known security issues and vulnerabilities – and where possible a Common Vulnerabilities and Exposures (CVE) style report to accompany the issue. CVE is a program for identifying, cataloging and addressing software and firmware vulnerabilities. Nationally, the federal government runs the CVE program to help build a free, standardized list or dictionary of security vulnerabilities for organizations to use to improve their software’s exposure and posture to security threats.
- Prepopulated the security landing page with already known issues (from known issues, threat assessments and security analysis that have already been completed).
- A link to the release notes for each release where security vulnerabilities and issues for each release will be highlighted.
On receipt of a security issue via the mailing address, the SIR Team will perform the following:
- Call a meeting of the SIR Team as soon as possible. It is desired that this be within a week of receipt of the report, but is based on the availability of the team members.
- The SIR Team will assess, validate and grade (see grading below) the issue, and make a determination about how to react to the issue. After making the determination, the SIR team will respond to the submitter to acknowledge receipt of the issue and provide some information (as warranted) about the reaction. Reactions include:
- Work with the community to fix the issue (in the latest supported and development releases as applicable) as quickly as possible (for critical issues) and issue a dot release (in coordination with the TSC and release manager). Based on the severity and sensitivity of the issue, appropriate teams in the community to fix and document the issue will be involved. Due to the sensitivity of the issue, all work may not appear in the project’s task tracking systems (like GitHub issues) while the issue is being addressed.
- Determine that the issue should be fixed in a future release. Document the problem in an issue and assign the work to the appropriate work group chairman for prioritization.
- Assess that the issue is of low probability or impact to the project and its user community and decide to take no action other than report.
- Create a Common vulnerabilities and exposures (CVE) style report of the issue and associated threat.
- At a time to be determined by the SIR Team (based on the sensitive nature of the issue and potential fix to the issue), the SIR Team will:
- Post the CVE report to the edgex-tsc-security mailing list. Note: the archives for edgex-tsc-security mailing list are public, and therefore submissions to firstname.lastname@example.org constitute public disclosure.
- Post the issue and CVE report to the above-mentioned security landing page as a known security issue or vulnerability.
- Update the release notes of the effected releases to indicate the same issue.
As a side note, when an issue is created in GitHub, the issue should carry a "security issue" label so as to highlight the work as it relates to this process.
3rd Party Dependency Security Issues
When a CVE (or other security issue) is reported on an EdgeX dependency (code or library not managed and maintained by the EdgeX community) that issue will trigger the same response procedure. The only difference in the process is that the EdgeX community will defer to the owning community for fixes.
The SIR team should periodically monitor the security issues and vulnerabilities pages of the third party dependencies and trigger the response procedures accordingly when a new issue has been discovered that has not yet been handled in EdgeX.
Issues that are deemed high, medium or low will be addressed as part of the planning for the next EdgeX release.
EdgeX grades security issues on the CVSS (Common Vulnerability Scoring System) scale. The four levels are critical, high, medium and low level issues.