Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify the security issue process #32

Closed
jonaslagoni opened this issue Jun 22, 2021 · 13 comments
Closed

Clarify the security issue process #32

jonaslagoni opened this issue Jun 22, 2021 · 13 comments
Labels
enhancement New feature or request

Comments

@jonaslagoni
Copy link
Member

jonaslagoni commented Jun 22, 2021

Reason/Context

With more and more tools, we increase the attack surface that might be leveraged in unintended ways. We should provide a structure where code owners and maintainers can spare and help each other solve security issues.

The current security policy we have: https://github.com/asyncapi/community/security/policy (What happens when someone sends an email to this? I have no idea 🤷). Are we using the security advisory feature on GitHub on each repository?

Description

Therefore we should provide a clear structure for everyone evolved to know the entire process. From the reporter to the one fixing the issue.

  • Does it make sense to create a security advisory group that can help solve the given issues together with the maintainers?
  • Does LF dictate any process we must adhere to?
@jonaslagoni jonaslagoni added the enhancement New feature or request label Jun 22, 2021
@jonaslagoni jonaslagoni changed the title Suggestion to create a security group Clarify the security issue process Jun 22, 2021
@jonaslagoni
Copy link
Member Author

jonaslagoni commented Jun 30, 2021

Here is my suggestion on how we can improve the current process, and how we can make sure security is a prioritization:

I suggest we use https://docs.github.com/en/code-security/security-advisories throughout the process.

We create a security-advisories team here on GitHub which initially will have access to security@asyncapi.io (new email only related to security tips) and responsible for assessing security issues and create security advisories in the affected repositories. It is not the responsibility of the group to fix the security issues, however, it is expected that they collaborate and guide the maintainers of the affected repository.

The team should also bring awareness to more global issues or suggestions as they have the full picture of related security issues.

To create a sense of urgency, I would suggest that we give the maintainers 90 days (it seem to be the standard) to provide a fix in private, if more time passes the security audit will be made public to notify relevant stakeholders of the issue. if the issue is fixed earlier then that it is of course released ASAP.

I suggest we add the entire process to https://github.com/asyncapi/.github/blob/master/SECURITY.md as well as exposure on the website about the team its role and how to help out.

For the team itself, I suggest we start utilizing the TSC for voting purposes to select the security-advisories team members as well as changes to the process itself. The security-advisories team should probably also be affected by a code-of-conduct different from the regular one. Not sure how we should handle this yet though, any ideas? 🤔

This is just an idea from my side but could be really awesome if the group made assessments of tooling on their own periodically. I think we will have to keep the initial process and work for the group as minimal as possible and add more tasks later.

References:

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity 😴
It will be closed in 60 days if no further activity occurs. To unstale this issue, add a comment with detailed explanation.
Thank you for your contributions ❤️

@github-actions github-actions bot added the stale label Aug 30, 2021
@jonaslagoni
Copy link
Member Author

@derberg any process in terms of the TSC progress to enable the vote on this?

@derberg
Copy link
Member

derberg commented Aug 30, 2021

no progress yet, might be that AsyncAPI conference setup will speed up cleanup here and maintenance of TSC members list

@jonaslagoni jonaslagoni removed the stale label Aug 30, 2021
@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

@github-actions github-actions bot added the stale label Dec 29, 2021
@derberg derberg removed the stale label Jan 3, 2022
@github-actions
Copy link

github-actions bot commented May 4, 2022

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

@github-actions github-actions bot added the stale label May 4, 2022
@derberg derberg removed the stale label May 10, 2022
@derberg
Copy link
Member

derberg commented May 10, 2022

@jonaslagoni voting is possible now, in case you want to continue working on this one

@jonaslagoni
Copy link
Member Author

I don't have the bandwidth to solo take this on at the moment and it's not that pressing to prioritize it at the moment. Maybe next year for me.

If others want to take it up, feel free 👍

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

@github-actions github-actions bot added stale and removed stale labels Sep 14, 2022
@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

@github-actions github-actions bot added the stale label Jan 14, 2023
@derberg
Copy link
Member

derberg commented Mar 8, 2023

I was wondering if there are maybe some foundations or other organizations that sponsor security related improvements in open source 🤔

@github-actions github-actions bot removed the stale label Mar 9, 2023
@github-actions
Copy link

github-actions bot commented Jul 7, 2023

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

@derberg
Copy link
Member

derberg commented Sep 18, 2023

Let's keep it open, so we get reminded. I'm exploring options for more funding and how we could hire more people by the initiative to own such topics

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants