Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Establish processes for security issue reporting, evaluation, fix release #2924

Open
15 tasks
guydc opened this issue Mar 14, 2024 · 3 comments
Open
15 tasks
Labels
area/community area/envoy documentation Improvements or additions to documentation
Milestone

Comments

@guydc
Copy link
Contributor

guydc commented Mar 14, 2024

Description:
Projects like Envoy proxy have a robust processe for vulnerability management, outlined here. OSS control planes like Istio have similar processes in place.

Envoy Gateway should establish similar processes, communication channels, responsibilities, SLOs, etc.

More concretely, the following should be done:

  • Create a public vulnerability reporting and disclosure process:
    • Create an email for Envoy Gateway vulnerability reporting
    • Establish a security team responsible for monitoring vulnerability reports and determine criteria for membership
  • Define a security assessment and fix process:
    • Determine how a security team member(s) is appointed to determine the severity of a reported issue and/or develop s fix (e.g. release manager for upstream envoy patches, security team member on duty for EG-specific issues, code owner, ad-hoc decision by the security team... )
    • Where is the fix developed (private GH repo?)
    • What are the SLAs for the fix the be available (time to determine severity since disclosure, time to fix from severity determination based on severity level)
  • Create process for early disclosure
    • Establish criteria for membership in early disclosure group
    • Determine when a vulnerability is disclosed with the early disclosure group
    • Create an early disclosure reporting email for Envoy Gateway
    • Define an embargo policy
  • Create a public vulnerability disclosure process for Envoy Gateway:
    • Decide on a medium for vulnerability disclosure (EG Site, Slack Announcement)
    • Define how fixes relate to the release process in terms of release responsibility, announcement, etc.

Additionally, Envoy Gateway security representatives should strive to join the Envoy Proxy private distributor list, to ensure early disclosure of vulnerabilities and proper preparation for fix releases.

@guydc guydc added the triage label Mar 14, 2024
@guydc guydc changed the title Establish processes for security issue reporting, evaluation, fix release, Establish processes for security issue reporting, evaluation, fix release Mar 14, 2024
@guydc guydc added documentation Improvements or additions to documentation area/envoy area/community and removed triage labels Mar 15, 2024
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Apr 14, 2024
@arkodg arkodg removed the stale label May 23, 2024
@arkodg arkodg added this to the v1.1.0 milestone May 23, 2024
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Jun 22, 2024
@guydc guydc modified the milestones: v1.1.0, v1.2.0 Jul 23, 2024
@github-actions github-actions bot removed the stale label Jul 23, 2024
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Aug 22, 2024
@arkodg arkodg modified the milestones: v1.2.0-rc1, v1.2.0 Oct 10, 2024
@github-actions github-actions bot removed the stale label Oct 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/community area/envoy documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

2 participants