Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Self Assessment: [DEV-2] Verify vulnerability reporting process #5398

Closed
randomvariable opened this issue Oct 6, 2021 · 17 comments
Closed

Security Self Assessment: [DEV-2] Verify vulnerability reporting process #5398

randomvariable opened this issue Oct 6, 2021 · 17 comments
Labels
area/security Issues or PRs related to security kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/security Categorizes an issue or PR as relevant to SIG Security.

Comments

@randomvariable
Copy link
Member

randomvariable commented Oct 6, 2021
edited
Loading

Detailed Description

As part of the security self-assessment, (#4446) am reviewing our software development practices.

We have a SECURITY_CONTACTS and we have vulnerability reporting (via an org template?) that can be invoked hitting New Issue.

Do we know if this process is valid for subprojects? In addition, the SECURITY_CONTACTS file is outdated, and needs updating.

(I would also like to volunteer to be on that list)

/kind feature
/area security
@k8s-ci-robot
Copy link
Contributor

@randomvariable: The label(s) area/security cannot be applied, because the repository doesn't have them.

In response to this:

Detailed Description

As part of the security self-assessment, am reviewing our software development practices.

We have a SECURITY_CONTACTS and we have vulnerability reporting (via an org template?) that can be invoked hitting New Issue.

Do we know if this process is valid for subprojects? In addition, the SECURITY_CONTACTS file is outdated, and needs updating.

(I would also like to volunteer to be on that list)

/kind feature
/area security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 6, 2021
@randomvariable randomvariable changed the title Security Self Assessment: Validate vulnerability reporting process Security Self Assessment: Verify vulnerability reporting process Oct 6, 2021
@neolit123
Copy link
Member

The process of batch removing these files went stale. But they are pretty much pending deletion in all repos...I'd probably delete the file and keep email / contacts in the main readme.

Girhub handles are useless as there are no github dms?

@randomvariable
Copy link
Member Author

Github handles are useless as there are no github dms?

Yes, I don't think we can use them really for private disclosure.

@vincepri
Copy link
Member

vincepri commented Oct 22, 2021
edited
Loading

/milestone Next

To discuss at SIG level as well + documentation changes and potential issue template

@k8s-ci-robot k8s-ci-robot added this to the Next milestone Oct 22, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 20, 2022
@fabriziopandini
Copy link
Member

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 20, 2022
@sbueringer
Copy link
Member

/milestone v1.2

@k8s-ci-robot k8s-ci-robot modified the milestones: Next, v1.2 Feb 18, 2022
@PushkarJ
Copy link
Member

/retitle Security Self Assessment: [DEV-2] Verify vulnerability reporting process
/sig security
/area security

(This topic is being discussed in the community right now across SIG Security, Contribex and SRC. Cluster API sub-project may end up benefitting from the structural changes that this discussion creates)

@k8s-ci-robot k8s-ci-robot changed the title Security Self Assessment: Verify vulnerability reporting process Security Self Assessment: [DEV-2] Verify vulnerability reporting process May 13, 2022
@k8s-ci-robot k8s-ci-robot added sig/security Categorizes an issue or PR as relevant to SIG Security. area/security Issues or PRs related to security labels May 13, 2022
@fabriziopandini fabriziopandini added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jul 29, 2022
@fabriziopandini fabriziopandini removed this from the v1.2 milestone Jul 29, 2022
@fabriziopandini fabriziopandini removed the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jul 29, 2022
@fabriziopandini
Copy link
Member

/triage accepted

@k8s-ci-robot k8s-ci-robot added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Oct 3, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 1, 2023
@fabriziopandini
Copy link
Member

/lifecycle frozen
This has been discussed at KubeCon Detroit during a postmortem of the security assessment.

TL;DR;
The CAPI subproject doesn't have the critical mass to own its own vulnerability reporting process; in the issue templates, under "Report a security vulnerability" we are referring to the Kubernetes process described in https://github.com/kubernetes-sigs/cluster-api/security/policy, but the Kubernetes security response team should be staffed/define its own processes about how to engage sub-projects. cc @PushkarJ @ aladewberry

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 2, 2023
@k8s-ci-robot k8s-ci-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Jan 2, 2023
@sbueringer
Copy link
Member

sbueringer commented Jan 2, 2023
edited
Loading

cc @aladewberry
(looks like there is a space too much in your mention)

@k8s-triage-robot
Copy link

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

  • Confirm that this issue is still relevant with /triage accepted (org members only)
  • Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Jan 20, 2024
@fabriziopandini
Copy link
Member

/priority backlog

@k8s-ci-robot k8s-ci-robot added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Apr 12, 2024
@fabriziopandini
Copy link
Member

The Cluster API project currently lacks enough contributors to adequately respond to all issues and PRs.

As discussed with SIG security folks back in detroit when we did a retrospective on this security assessment (@aladewberry), given different staffing/size of projects, the only viable way for subprojects to handle vulnerability reporting process is to rely on the K8s process

@fabriziopandini
Copy link
Member

/close

@k8s-ci-robot
Copy link
Contributor

@fabriziopandini: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security Issues or PRs related to security kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/security Categorizes an issue or PR as relevant to SIG Security.
Projects
No open projects
sig-security-tracker
Status: Done
Milestone
No milestone
Development

No branches or pull requests
8 participants
@neolit123 @randomvariable @vincepri @PushkarJ @sbueringer @fabriziopandini @k8s-ci-robot @k8s-triage-robot