Thanks Joakim
I agree a graphical representation would be useful. I'll look into that when I can.
Regarding CVSSv3, TF-A doesn't use any scoring yet. This recommendation was mainly to guide projects that are new to scoring but it would be great to align all projects (including OP-TEE) eventually.
Maniphest seems workable from what I have seen but I'm yet to trial this on the staging server.
All – I had an action from the last TSC to ask for this process to be approved in principal. I was concerned about making final updates to this and then receiving major feedback at the last minute. I no longer think this needs an early vote but please say something now if you see any major issues. I'm still making minor changes to cater for all the scenarios that the Mbed TLS security team see. This mainly consists of flexibility in the timelines depending on the nature of the security issue. There's a bit of a culture clash between the kernel (that this is based on), which focusses on fixing upstream early, and crypto projects, which focus on responsible disclosure.
Regards
Dan.
From: Joakim Bech joakim.bech@linaro.org Sent: 02 March 2020 13:51 To: Dan Handley Dan.Handley@arm.com Cc: tsc@lists.trustedfirmware.org Subject: Re: [TF-TSC] Proposed tf.org security incident handling process (v0.5)
Hi Dan, all,
I've read the updated version(s), I'm happy with them as they are written here in the 0.5 version (that implies that Linaro is happy with them).
External process: - It'd be nice at some point to complement the text with a graphical timeline showing the boundaries at each step.
Internal process: - CVSSv3 or something else to identify the severity? I know OP-TEE isn't using CVSSv3. I'd be happy to change OP-TEE to align with other TF projects. - Regarding people on op-tee-security@trustedfirmware.orgmailto:op-tee-security@trustedfirmware.org, for now I think it's sufficient to have Jens + the global address (security@trustedfirmware.orgmailto:security@trustedfirmware.org).
Maniphest: - I have no experience, but that'll probably get the job done as any other tools would have done.
Regards, Joakim
On Wed, 19 Feb 2020 at 19:00, Dan Handley via TSC <tsc@lists.trustedfirmware.orgmailto:tsc@lists.trustedfirmware.org> wrote:
Hi TF TSC
This is a v0.5 update to the proposed tf.orghttp://tf.org security incident handling process, which I sent previously.
Changes:
* Expanded the Trusted Stakeholder embargo request period to 3 working days (in their timezone).
* Expanded the ESS definition to include suppliers to ESSes (e.g. distros).
* Allowed projects to optionally use severity scoring (CVSSv3 preferred but not mandated).
* Allowed for flexibility in disclosure plan to accommodate reporter's disclosure plan.
* Allowed for the fact that some projects cannot deliver vulnerability fixes to a restricted audience for export control reasons.
I've also included an internal facing process for the first time, mainly aimed at members of the security team(s) so they know how to execute the process.
I propose the next steps are:
* Discuss the latest changes in the 20th Feb TSC meeting.
* Set a date for approval of the external process (e.g. mid-March).
* Identify the right people to be on the security teams.
* Work with tf.orghttp://tf.org infra people and each project's security teams to propose a plan for when this process can be made active. Should we try to make this active for all projects at the same time or as each project is ready?
Regards
Dan.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TSC mailing list TSC@lists.trustedfirmware.orgmailto:TSC@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tsc IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.