Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need documented process for identified security vulnerabilities #7

Open
MeltyBot opened this issue Oct 22, 2021 · 1 comment
Open

Need documented process for identified security vulnerabilities #7

MeltyBot opened this issue Oct 22, 2021 · 1 comment
Assignees
@seth-meltano
Labels
kind/Non-Product migrated from gitlab security urgency/Default valuestream/Business Operation
Milestone
Security Refresh

Comments

@MeltyBot
Copy link

Migrated from GitLab: https://gitlab.com/meltano/handbook/-/issues/7

Originally created by @aaronsteers on 2021-10-22 19:15:57

As follow-up to sdk#256 and the slack thread here, we've identified a gap in our process documentation for how to responsibly track, respond to, and disclose potential security vulnerabilities as we discover them.

The only documentation currently in the handbook does mention we will acknowledge the email disclosure (to the sender) "on the next business day" but not specifically how we will disclose.

Key things to evaluate:

  1. When do we disclose a vulnerability and how.
  2. If there are known exploits, how much information should be provided in publicly searchable issue descriptions.
  3. What factors (if any) would lead to an issue being marked as confidential.
  4. What are our internal procedures for quick-response risk assessment, sizing, and prioritization. I.e., can these happen in private forums (such as slack or zoom), and what needs to be shared back with the community.

These are questions others have had to answer, and I (AJ) would like as much as possible to lean on industry best practice, where available. Following from this, I think the first step is to locate a few other internal guidelines and procedures from established tech companies and see how they compare/contrast from each other.

Note: This is not a confidential issue; anyone can view and engage in the discussion here.

What I found as of today for this process:

Please email [email protected] to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report the next business day and strive to send you regular updates about our progress. If you're curious about the status of your disclosure please feel free to email us again.

Emails to [email protected] also forward to Zendesk, and are automatically assigned to the Security group, which includes all current team members. As documented in our Responsible Disclosure Policy, we will acknowledge receipt of a vulnerability report the next business day and strive to send the reporter regular updates about our progress.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@seth-meltano seth-meltano

Labels
kind/Non-Product migrated from gitlab security urgency/Default valuestream/Business Operation
Projects
None yet
Milestone
Security Refresh
Development

No branches or pull requests
4 participants
@WillDaSilva @aaronsteers @MeltyBot @seth-meltano