Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: update policy for fix/disclosure SLOs. #11243

Merged
merged 2 commits into from
May 19, 2020
Merged

security: update policy for fix/disclosure SLOs. #11243

merged 2 commits into from
May 19, 2020

Conversation

htuch
Copy link
Member

@htuch htuch commented May 18, 2020

The idea is to prepare for the Envoy bug bounty, help burn down the envoy-setec
backlog and set expectations to disclosers. The 90 days limit comes from
the fuzz bug disclosure deadline and
https://www.google.com/about/appsecurity/.

Signed-off-by: Harvey Tuch htuch@google.com

@htuch
security: update policy for fix/disclosure SLOs.
7e1151f 
The idea is to prepare for the Envoy bug bounty, help burn down the envoy-setec
backlog and set expectations to disclosers. The 90 days limit comes from
the fuzz bug disclosure deadline and
https://www.google.com/about/appsecurity/.

Signed-off-by: Harvey Tuch <htuch@google.com>
htuch
htuch commented May 18, 2020
View reviewed changes
SECURITY.md
* Three weeks notice will be provided to private distributors from patch
availability until the embargo deadline.

* Public zero days will be fixed ASAP, but there is no SLO for this, since this
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm kind of torn on this one. OTOH, setting no SLO for a zero day seems like a terrible idea. OTOH, expecting any individual member of the Envoy security team to drop everything also seems kind of bad. I think if we had an on-call rotation for Envoy security team to deal with triage and fixing public zero days it might be possible to set an SLO. Any thoughts on this?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm skeptical of an SLO here, as it really depends on the issue and how hard it is to fix. IMO this language is fine for now and we can improve later as needed.

@htuch htuch requested a review from mattklein123 May 18, 2020 16:01
@htuch
Copy link
Member Author

htuch commented May 18, 2020

CC @envoyproxy/security-team

mattklein123
mattklein123 previously approved these changes May 18, 2020
View reviewed changes
Copy link
Member

@mattklein123 mattklein123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the clarifications. Will defer to the rest of the security team for further comments.

ggreenway
ggreenway reviewed May 18, 2020
View reviewed changes
SECURITY.md Outdated Show resolved Hide resolved
@htuch
Replace 24H with one business day.
e7fbfc2 
Signed-off-by: Harvey Tuch <htuch@google.com>
@htuch htuch merged commit a691438 into envoyproxy:master May 19, 2020
@htuch htuch deleted the disclosure-policy branch May 19, 2020 21:27
spenceral added a commit to spenceral/envoy that referenced this pull request May 20, 2020
@spenceral
Merge branch 'master' into response-info-headers
ca19a15 
Signed-off-by: Spencer Lewis <slewis@squareup.com>

* master: (33 commits)
  docs: break release notes into categories (envoyproxy#11217)
  admin: extract more handlers to separate classes  (envoyproxy#11258)
  Load reporting service documentation  (envoyproxy#10962)
  http: testing 304-with-body behavior (envoyproxy#11261)
  fixing typos and breaking link issues (envoyproxy#11270)
  devex: initial commit of devcontainer setup (envoyproxy#11207)
  security: update policy for fix/disclosure SLOs. (envoyproxy#11243)
  http: fixing CONNECT to not advertise chunk encoding. (envoyproxy#11245)
  docs: update upstream network filters description (envoyproxy#11231)
  deps: update datadog tracer to v1.1.5 (envoyproxy#11253)
  test: Fix missing instantiation of parameterized tests. (envoyproxy#11247)
  fix go mirror when no changes (envoyproxy#11249)
  docs: host_rewrite -> host_rewrite_literal (envoyproxy#11229)
  wasm: update V8 to v8.3.110.9. (envoyproxy#11233)
  tls: update BoringSSL to 107c03cf (4103). (envoyproxy#11232)
  bazelci: always exclude nocoverage tag in coverage config (envoyproxy#11226)
  ci: save api revision in go-control-plane (envoyproxy#11220)
  build: fix cares build (envoyproxy#11225)
  stats: Pre-allocate codec stats for http1 and http2 (envoyproxy#11135)
  api: manifest based edge default documentation. (envoyproxy#11151)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ggreenway ggreenway ggreenway approved these changes

@mattklein123 mattklein123 mattklein123 approved these changes

Assignees

@mattklein123 mattklein123

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@htuch @mattklein123 @ggreenway