Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC: Vulnerability response runbook #20

Merged
merged 6 commits into from
Aug 29, 2022
Merged

RFC: Vulnerability response runbook #20

merged 6 commits into from
Aug 29, 2022

Conversation

pchickey
Copy link
Contributor

This RFC proposes the vulnerability response process used by the Bytecode Alliance. It is structured as a runbook: a set of steps to be followed by the team responding to a discovered vulnerability.

It documents the process we followed for several different security advisories in Wasmtime and Lucet, for example:
GHSA-88xq-w8cq-xfg7
GHSA-hf79-8hjp-rrvq

@cfallin
Copy link
Member

cfallin commented Feb 17, 2022

On initial read, this looks really good and is quite complete!

Only thing I would add is that, if the vulnerability is in a Rust crate used by others, adding an entry to the rustsec database is a good last step, after the CVE exists and is public. An example PR is here for last year's Cranelift CVE.

pchickey and others added 2 commits February 17, 2022 16:09
@pchickey @bjorn3
Update accepted/vulnerability-response-runbook.md
8c0476d 
Co-authored-by: bjorn3 <bjorn3@users.noreply.github.com>
@pchickey @bjorn3
Update accepted/vulnerability-response-runbook.md
3f31142 
Co-authored-by: bjorn3 <bjorn3@users.noreply.github.com>
jfoote
jfoote approved these changes Feb 21, 2022
View reviewed changes
Copy link
Contributor

@jfoote jfoote left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great baseline, well done @pchickey. I provided some spellcheck and also left one more substantive comment for your consideration.

accepted/vulnerability-response-runbook.md Outdated Show resolved Hide resolved
accepted/vulnerability-response-runbook.md Outdated Show resolved Hide resolved
accepted/vulnerability-response-runbook.md Outdated Show resolved Hide resolved
accepted/vulnerability-response-runbook.md Outdated Show resolved Hide resolved
accepted/vulnerability-response-runbook.md Outdated Show resolved Hide resolved
accepted/vulnerability-response-runbook.md Outdated Show resolved Hide resolved
accepted/vulnerability-response-runbook.md Outdated Show resolved Hide resolved
accepted/vulnerability-response-runbook.md Outdated Show resolved Hide resolved
accepted/vulnerability-response-runbook.md Show resolved Hide resolved
@bnjbvr
Copy link
Member

bnjbvr commented Feb 23, 2022

(Forgot to say, sorry!) Great write-up, this definitely will streamline and structure the incident handling process!

pchickey and others added 2 commits February 28, 2022 09:04
@pchickey @jfoote
Apply suggestions from code review
ac4c74a 
Thank you @jfoote and @bjorn3

Co-authored-by: Jonathan Foote <jonathan@foote.pub>
add rustsec advisory to public disclosure steps
269dc1f
@pchickey
Copy link
Contributor Author

@cfallin Thanks, added a RustSec database step to the final section. We haven't been consistent in publishing to that database, but there is no reason not to be.

bnjbvr
bnjbvr approved these changes Aug 18, 2022
View reviewed changes
Copy link
Member

@bnjbvr bnjbvr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot!

@pchickey
Copy link
Contributor Author

pchickey commented Aug 18, 2022
edited
Loading

Motion to finalize with a disposition to merge

This RFC was forgotten for a little while with one piece of unresolved feedback, which has now been resolved. We have been using it de-facto during the time it was open.

Stakeholders sign-off

This effects all Bytecode Alliance projects so I've copied the biggest stakeholder list I could find (#14) and added some new folks. I apologize if I missed anyone, I am happy to add folks.

Arm

DFINITY

Embark Studios

Fastly

Google/Envoy

Intel

Microsoft

Fermyon

Mozilla

IBM

wasmCloud

Unaffiliated

@fitzgen
Copy link
Member

fitzgen commented Aug 18, 2022

As per the RFC process this RFC is entering its 10 day final comment period.

If no objections have been raised by 2022-08-28, we will merge this RFC.

@bytecodealliance bytecodealliance deleted a comment from bjorn3 Aug 19, 2022
@fitzgen
Copy link
Member

fitzgen commented Aug 29, 2022

The final comment period has elapsed without any objections, so I'm going to merge this!

@fitzgen fitzgen merged commit 4ede4ad into bytecodealliance:main Aug 29, 2022
@pchickey pchickey deleted the pch/vuln_runbook branch August 31, 2022 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fitzgen fitzgen fitzgen left review comments

@bjorn3 bjorn3 bjorn3 approved these changes

@radu-matei radu-matei radu-matei approved these changes

@uweigand uweigand uweigand approved these changes

@jfoote jfoote jfoote approved these changes

@bnjbvr bnjbvr bnjbvr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@pchickey @cfallin @bnjbvr @fitzgen @jfoote @uweigand @radu-matei @bjorn3