doc: add initial draft of CVE management process #60
Conversation
|
@nodejs/security @nodejs/security-wg for review/comment. |
processes/cve_management_process.md
Outdated
| # Node.js CVE management process | ||
|
|
||
| The Node.js project acts as a Commonn Vulnerabilities and Exposures (CVE) | ||
| Numbering Authority (CNA). The current scope is for all actively |
There was a problem hiding this comment.
Having Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) be a link would be good.
processes/cve_management_process.md
Outdated
| developed versions of software developed under the Node.js project (ie. | ||
| https://github.com/nodejs). This means that the Node.js team reviews | ||
| CVE requests and if appropriate assigns CVE numbers to vulnerabilities. | ||
| The scope currently **does not** include thir party modules. |
There was a problem hiding this comment.
Only for Core and Foundation projects or userland modules also?
There was a problem hiding this comment.
It is only for Core and Foundation projects. That line tries to say that userland modules are excluded for now. Once we are comfortable with that scope we will consider expanding.
processes/cve_management_process.md
Outdated
| The CNA program allows the Node.js team to request a block of CVE's in | ||
| advance. These CVE's are managed in an issue within the private Node.js | ||
| security repo (https://github.com/nodejs/security). Each year there | ||
| will be an issue in that repo titled: |
There was a problem hiding this comment.
I recommend that we create a separate dedicated repository under the nodejs-private github organization for CVE management. Discussion of assignments would be in issues, actual assignments done as PRs against a master record in the repository.
There was a problem hiding this comment.
That would be ok with me as well, just was not sure if we wanted to create additional repos
|
Excellent start. Thank you for putting this together. |
processes/cve_management_process.md
Outdated
| developed versions of software developed under the Node.js project (ie. | ||
| https://github.com/nodejs). This means that the Node.js team reviews | ||
| CVE requests and if appropriate assigns CVE numbers to vulnerabilities. | ||
| The scope currently **does not** include thir party modules. |
processes/cve_management_process.md
Outdated
| been added to a closed mailing list that is used for announcements, | ||
| sharing documents, or discussion relevant to the CNA community. | ||
| The list rarely has more than ten messages a week. | ||
| **cna-discussion-list** |
|
Pushed update to address some of the initial comments. I'll leave a bit more time before updating to use a repo in the nodejs-private github organization in order to see if there are any alternatives suggested or concerns raised with doing that. |
processes/cve_management_process.md
Outdated
| @@ -0,0 +1,124 @@ | |||
| # Node.js CVE management process | |||
|
|
|||
| The Node.js project acts as a [Commonn Vulnerabilities and Exposures (CVE) | |||
processes/cve_management_process.md
Outdated
| include third party modules. | ||
|
|
||
| More detailed information about the CNA program is available in | ||
| https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf |
There was a problem hiding this comment.
Perhaps create a link here?
processes/cve_management_process.md
Outdated
|
|
||
| The CNA program allows the Node.js team to request a block of CVE's in | ||
| advance. These CVE's are managed in an issue within the private Node.js | ||
| security repo (https://github.com/nodejs/security). Each year there |
There was a problem hiding this comment.
Maybe just make "security repo" a link and drop the explicit URL.
processes/cve_management_process.md
Outdated
| CVE Block for XXXX | ||
| ``` | ||
|
|
||
| were XXXX is the year (for example `CVE Block for 2017`). |
processes/cve_management_process.md
Outdated
| * Announced | ||
|
|
||
|
|
||
| When a new block of CVEs is received from Mitre they will be listed under |
processes/cve_management_process.md
Outdated
|
|
||
| When a request for a CVE is received via the cve-request@iojs.org | ||
| email alias the following process will be followed (likely updated | ||
| after we get hacker one up and running). |
processes/cve_management_process.md
Outdated
|
|
||
| * Respond to the requestor indicating that we have the request | ||
| and will review soon. | ||
| * Open an issue in the security repo for the request |
There was a problem hiding this comment.
Missing a period at the end of the line.
processes/cve_management_process.md
Outdated
| * Review the request. | ||
| * If a CVE is appropriate then assign the | ||
| CVE as outline in the section titled | ||
| `CVE Management processes for Node.js vulnerabilities` and |
There was a problem hiding this comment.
Should this link to the section?
processes/cve_management_process.md
Outdated
| * Move the CVE from the unassigned block, to the Pending section along | ||
| with a link to the issue in the security repo that is being used | ||
| to discuss the vulnerability. | ||
| * As part of the security announcement process |
There was a problem hiding this comment.
Maybe just link this and drop the explicit URL.
processes/cve_management_process.md
Outdated
| commonly done by including it is the draft for the announcement that | ||
| will go out once the associated security releases are availble. | ||
| * Once the security announcement goes out: | ||
| * Use the Mitre form (https://cveform.mitre.org/) to report the |
There was a problem hiding this comment.
Link and drop the explicit URL?
|
@jasnell pushed commit to address suggestion to use repo in nodejs-private instead of issue in security repo. |
|
@cjihrig can you take another look. |
PR-URL: #60 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
|
Landed as c2bf31b |
PR-URL: nodejs/security-wg#60 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: nodejs/security-wg#60 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
No description provided.