doc: first version of security releases process (#306)

PR-URL: #306 Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com> Reviewed-By: Liran Tal <liran.tal@gmail.com>
nodejs · Jul 4, 2018 · 35bf0d8 · 35bf0d8
1 parent 39995b4
commit 35bf0d8
Show file tree

Hide file tree

Showing 3 changed files with 109 additions and 10 deletions.
diff --git a/processes/cve_management_process.md b/processes/cve_management_process.md
@@ -109,14 +109,25 @@ following steps are used to assign, announce and report a CVE.
   in the issue in the security issue being used to discuss the
   vulnerability, associate the CVE to that vulnerability. This is most
   commonly done by including it is the draft for the announcement that
-  will go out once the associated security releases are availble.
+  will go out once the associated security releases are available.
 * Once the security announcement goes out:
   * Use the [Mitre form](https://cveform.mitre.org/) to report the
     CVE details to Mitre using the `Notify CVE about a publication`. The
     link to the advisory will be the for the blog announcing that security
     releases are available. The description should be a subset of the
     details in that blog.
-  * Move the CVE from the Pending section to the Announced section along
-    with a link to the Node.js blog post announcing that releases
-    are availble.
 
+    For each CVE listed, the additional data must include the following fields
+    updated with appropriate data for the CVE
+```
+     [CVEID]: CVE-XXXX-XXXX
+     [PRODUCT]: Node.js
+     [VERSION]: 8.x+, 9.x+, 10.x+
+     [PROBLEMTYPE]: Denial of Service
+     [REFERENCES]: Link to the blog for the final announce
+     [DESCRIPTION]: Description from final announce
+     [ASSIGNINGCNA]: Node.js Foundation
+```
+* Move the CVE from the Pending section to the Announced section along
+  with a link to the Node.js blog post announcing that releases
+  are availble.
diff --git a/processes/security_annoucement_process.md b/processes/security_annoucement_process.md
@@ -27,7 +27,9 @@ The process is as follows:
   Submit PR and leave 1 hour for review. After one hour even if no reviews,
   land anyway so that we don't have too big a gap between post to nodejs-sec
   and blog. Text was already reviewed in security repo so is unlikely to
-  attract much additional comment.
+  attract much additional comment. **The PR should also update the banner
+  on the Node.js website to indicate security releases are coming with the
+  banner linked to the blog**
 
 * In original PR for the security repository for the issue, post candidate
   text for updates that will go out with releases that will indicates
@@ -37,10 +39,6 @@ The process is as follows:
   https://groups.google.com/forum/#!forum/nodejs-sec indicating
   releases are available and with the full vulnerability details.
 
-* PR machine-readable JSON descriptions of the vulnerabilities to the
-  [core](https://github.com/nodejs/security-wg/tree/master/vuln/core)
-  vulnerability DB.
-
 * Update the blog post in
   https://github.com/nodejs/nodejs.org/tree/master/locale/en/blog/vulnerability
   with the information that releases are available and the full
@@ -50,7 +48,9 @@ The process is as follows:
   https://github.com/nodejs/nodejs.org/blob/master/locale/en/blog/vulnerability/june-2016-security-releases.md.
   ```
   Make sure to update the date in the slug so that it will move to
-  the top of the blog list.
+  the top of the blog list. **As part of the PR, update the
+  banner on Node.js org to indicate the security release are 
+  available.**
 
   *Note*: If the release blog obviously points to the people having caused the
   issue (for example when explicitly mentioning reverting a commit), adding

diff --git a/processes/security_release_process.md b/processes/security_release_process.md
@@ -0,0 +1,88 @@
+# Security Release Process
+
+The security release process covers the steps required to plan/implement
+a security release.
+
+The steps include:
+
+* Get agreement on the list of vulnerabilities to be addressed
+  and the planned date for the releases. This is done in an issue
+  in the private security repo titled `Next Security Release`
+
+* Once agreement on the list and date has been agreed, validate
+  that all vulnerabilities have been assigned a CVE following
+  the [cve_management_process](https://github.com/nodejs/security-wg/blob/master/processes/cve_management_process.md).
+
+* Co-ordinate with the Release team members to line up one
+  or more releasers to do the releases on the agreed date.
+
+* Prep for the pre-security announcement and final security
+  annoucement by getting agreement on drafts following the
+  [security_announcement_process](https://github.com/nodejs/security-wg/blob/master/processes/security_annoucement_process.md). 
+
+* One week in advance of the agreed date for the security
+  release, ensure the pre-announce is sent out as outlined in the
+  [security_announcement_process](https://github.com/nodejs/security-wg/blob/master/processes/security_annoucement_process.md). 
+
+* One week in advance open an issue in the build working repository
+  with a notification of the date for the security release.  Use this
+  issue to co-ordinate with the build team to ensure there will
+  be coverage/availability of build team resources the day of the
+  release. Those who volunteer from the build WG should be available
+  in node-build during the release in case they are needed by the
+  individual doing the release.
+
+* One week in advance send an email to the docker official image
+  [maintainers](https://github.com/docker-library/official-images/blob/master/MAINTAINERS)
+  with an FYI that security releases will be going out on the agreed date.
+
+* Open an issue in the [docker-node](https://github.com/nodejs/docker-node)
+  repo and get one or more volunteers to be available to review the PR
+  to update Node.js versions in the docker-node repo immediately after the release.
+
+* On the day of the release co-ordinate with the Release
+  team members and keep up to date on progress. Get an guesstimate of
+  when releases may be ready and send an FYI to the docker offical image
+  [maintainers](https://github.com/docker-library/official-images/blob/master/MAINTAINERS).
+
+* When the releases are promoted, ensure the final announce
+  goes out as per the
+  [security_announcement_process](https://github.com/nodejs/security-wg/blob/master/processes/security_annoucement_process.md). 
+
+* Create a PR to update the Node.js version in the official docker images.  
+  * Checkout the docker-node repo
+  * Run the update.sh using the `-s` option so that ONLY the Node.js
+    versions are updated. At the request from docker (and because
+    it is good practice) we limit the changes to those necessary in
+    security updates
+  * Open a PR and get volunteer lined up earlier to approve
+  * Merge the PR with the merge button
+  * Checkout the [official-images](https://github.com/docker-library/official-images)
+    repository 
+  * In the docker-node repository run the
+    [generate-stackbrew-library.sh]( https://github.com/nodejs/docker-node/blob/master/generate-stackbrew-library.sh)
+    script and replace official-images/library/node with the output generated.
+  * Open a PR with the changes to official-images/library/node making sure to 
+    @mention the official images
+    [maintainers](https://github.com/docker-library/official-images/blob/master/MAINTAINERS).
+    In addition, make sure to prefix the PR title with `[security]`.
+  * Send an email to the
+    [maintainers](https://github.com/docker-library/official-images/blob/master/MAINTAINERS)
+    indicating that the PR is open
+
+* Ensure that the announced CVEs are reported to Mitre as per the
+  [cve_management_process](https://github.com/nodejs/security-wg/blob/master/processes/cve_management_process.md).
+
+* Ensure that the announced CVEs are updated in the cve-management repository
+  as per the the
+  [cve_management_process](https://github.com/nodejs/security-wg/blob/master/processes/cve_management_process.md)
+  so that they are listed under Announced.
+
+* PR machine-readable JSON descriptions of the vulnerabilities to the
+  [core](https://github.com/nodejs/security-wg/tree/master/vuln/core)
+  vulnerability DB.
+
+* Make sure the PRs for the vulnerabilities are closed
+
+* Ensure the issue in the private security repo for the release is closed out
+