Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: update policy for fix/disclosure SLOs. #11243

Merged
merged 2 commits into from
May 19, 2020
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 25 additions & 1 deletion SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -118,12 +118,36 @@ score](https://www.first.org/cvss/specification-document#i5)) the Fix Team can d
release process down in the face of holidays, developer bandwidth, etc. These decisions must be
discussed on the envoy-security mailing list.

A two week window will be provided to members of the private distributor list from candidate patch
A three week window will be provided to members of the private distributor list from candidate patch
availability until the security release date. It is expected that distributors will normally be able
to perform a release within this time window. If there are exceptional circumstances, the Envoy
security team will raise this window to four weeks. The release window will be reduced if the
security issue is public or embargo is broken.

### Fix and disclosure SLOs

* All reports to envoy-security@googlegroups.com will be triaged and have an
initial response within 1 business day.

* Privately disclosed issues will be fixed or publicly disclosed within 90 days
by the Envoy security team. In exceptional circumstances we reserve the right
to work with the discloser to coordinate on an extension, but this will be
rarely used.

* Any issue discovered by the Envoy security team and raised in our private bug
tracker will be converted to a public issue within 90 days. We will regularly
audit these issues to ensure that no major vulnerability (from the perspective
of the threat model) is accidentally leaked.

* Fuzz bugs are subject to a 90 day disclosure deadline.

* Three weeks notice will be provided to private distributors from patch
availability until the embargo deadline.

* Public zero days will be fixed ASAP, but there is no SLO for this, since this
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm kind of torn on this one. OTOH, setting no SLO for a zero day seems like a terrible idea. OTOH, expecting any individual member of the Envoy security team to drop everything also seems kind of bad. I think if we had an on-call rotation for Envoy security team to deal with triage and fixing public zero days it might be possible to set an SLO. Any thoughts on this?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm skeptical of an SLO here, as it really depends on the issue and how hard it is to fix. IMO this language is fine for now and we can improve later as needed.

will depend on the severity and impact to the organizations backing the Envoy
security team.

### Fix Disclosure Process

With the fix development underway, the Fix Lead needs to come up with an overall communication plan
Expand Down