Versions Compared

Old Version 3

changes.mady.by.user Jim White

Saved on

compared with

New Version 4

changes.mady.by.user Jim White

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Reporting A Security Issue

This policy was approved by the TSC on 5/20/2019.

The EdgeX Foundry project takes security threats and issues seriously.  In an attempt to address and handle security issues, the EdgeX community (at the hands of the Security WG) will put the following in place for the Edinburgh release:

...

  1. Call a meeting of the SIR Team as soon as possible. It is desired that this be within a week of receipt of the report, but is based on the availability of the team members.
  2. The SIR Team will assess, validate and grade (see grading below) the issue, and make a determination about how to react to the issue. After making the determination, the SIR team will respond to the submitter to acknowledge receipt of the issue and provide some information (as warranted) about the reaction.  Reactions include:
    1. Work with the community to fix the issue (in the latest supported and development releases as applicable) as quickly as possible (for critical issues) and issue a dot release (in coordination with the TSC and release manager). Based on the severity and sensitivity of the issue, appropriate teams in the community to fix and document the issue will be involved.  Due to the sensitivity of the issue, all work may not appear in the project’s task tracking systems (like GitHub issues) while the issue is being addressed.
    2. Determine that the issue should be fixed in a future release. Document the problem in an issue and assign the work to the appropriate work group chairman for prioritization.
    3. Assess that the issue is of low probability or impact to the project and its user community and decide to take no action other than report. 
  3. Create a Common vulnerabilities and exposures (CVE) style report of the issue and associated threat.
  4. At a time to be determined by the SIR Team (based on the sensitive nature of the issue and potential fix to the issue), the SIR Team will:
    1. Post the CVE report to the edgex-tsc-security mailing list. Note:  the archives for edgex-tsc-security mailing list are public, and therefore submissions to security@edgexfoundry.org constitute public disclosure.
    2. Post the issue and CVE report to the above-mentioned security landing page as a known security issue or vulnerability.
    3. Update the release notes of the effected releases to indicate the same issue.

As a side note, when an issue is created in GitHub, the issue should carry a "security issue" label so as to highlight the work as it relates to this process.

3rd Party Dependency Security Issues

...