(CII) Vulnerability Report Process #1031

pnbrown · 2021-07-12T14:12:53Z

Feature Request

There are three requirements in the vulnerability report process section. Do we have a plan for compliance?

The project MUST publish the process for reporting vulnerabilities on the project site.
If private vulnerability reports are supported, the project MUST include how to send the information in a way that is kept private.
The project's initial response time for any vulnerability report received in the last 6 months MUST be less than or equal to 14 days

Describe alternatives you've considered

N/A

Additional context

N/A

pnbrown · 2021-07-12T15:48:35Z

Related is that we'll need some process for handling and notifying in the releases about patched CVEs.

PushkarJ · 2021-07-12T17:14:44Z

Guessing here, but much of what is done by a VMware project that has a CII badge can be reused here e.g. velero

They have a CII badge and their answers to above questions can be found here: https://bestpractices.coreinfrastructure.org/en/projects/3811#reporting

pnbrown · 2021-07-12T19:26:03Z

Jonas showed me the site for the security information. Will follow up there to get this one resolved.

joshrosso · 2021-08-12T13:34:58Z

@pnbrown I reviewed @qnetter's work on our SECURITY.md file. I'm assigned this to him to get a PR in or delegate to someone in engineering to take his internal draft and create a PR.

We do check all these boxes, except that we don't have our vulnerability/CVE process in our repo yet.

pnbrown · 2021-08-24T17:28:09Z

Bumping this one. We can close out CII once this is completed.

pnbrown · 2021-08-24T17:29:18Z

Did not mean to close this but it looks like it's also being tracked in #1319

qnetter · 2021-08-24T17:49:00Z

I will post the correct SECURITY.md today.

…

Sent from my iPhone On Aug 24, 2021, at 10:28 AM, Nigel Brown ***@***.***> wrote: Bumping this one. We can close out CII once this is completed. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fvmware-tanzu%2Fcommunity-edition%2Fissues%2F1031%23issuecomment-904836698&data=04%7C01%7Crklorese%40vmware.com%7C50e28d00176047be6d3808d9672491fc%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637654229036620657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ga5rr8o3ZVl%2FzCUeLEb56S%2B1smoiEVPyAhRvtlKMQ2I%3D&reserved=0>, or unsubscribe<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACZWVL2YR4U4UOR47TZHA33T6PJDJANCNFSM5AG56IOA&data=04%7C01%7Crklorese%40vmware.com%7C50e28d00176047be6d3808d9672491fc%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637654229036630611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BF2jZGW%2FT0kw9vt%2B9PbFISZKy96Ik9EiEGukAq7t%2FLg%3D&reserved=0>. Triage notifications on the go with GitHub Mobile for iOS<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Crklorese%40vmware.com%7C50e28d00176047be6d3808d9672491fc%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637654229036630611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pYga9IMxcrq%2BCWuV3Ilu%2FXTKqCViTrPPUxCabT%2FtUxo%3D&reserved=0> or Android<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26utm_campaign%3Dnotification-email&data=04%7C01%7Crklorese%40vmware.com%7C50e28d00176047be6d3808d9672491fc%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637654229036630611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IEPKyzcG27Dy691OrCyJyjxpRS189le8JM%2BRs6eir3E%3D&reserved=0>.

joshrosso · 2021-09-10T23:49:26Z

Does the recent inclusion of SECURITY.md mean that we can close this issue?

cc @pnbrown @qnetter

pnbrown · 2021-09-10T23:50:41Z

Yes

pnbrown added kind/feature A request for a new feature triage/needs-triage Needs triage by TCE maintainers labels Jul 12, 2021

joshrosso added this to the v0.7.0 milestone Jul 15, 2021

joshrosso removed this from the v0.7.0 milestone Aug 10, 2021

joshrosso added owner/community Work executed by VMware community team kind/feedback General feedback. Actionable items are converted to a different 'kind/*' and removed triage/needs-triage Needs triage by TCE maintainers kind/feature A request for a new feature labels Aug 12, 2021

joshrosso added this to the v1.0.0 milestone Aug 12, 2021

joshrosso assigned qnetter Aug 12, 2021

pnbrown closed this as completed Aug 24, 2021

pnbrown reopened this Aug 24, 2021

pnbrown closed this as completed Sep 10, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(CII) Vulnerability Report Process #1031

(CII) Vulnerability Report Process #1031

pnbrown commented Jul 12, 2021

pnbrown commented Jul 12, 2021

PushkarJ commented Jul 12, 2021

pnbrown commented Jul 12, 2021

joshrosso commented Aug 12, 2021

pnbrown commented Aug 24, 2021

pnbrown commented Aug 24, 2021

qnetter commented Aug 24, 2021 via email

joshrosso commented Sep 10, 2021

pnbrown commented Sep 10, 2021

(CII) Vulnerability Report Process #1031

(CII) Vulnerability Report Process #1031

Comments

pnbrown commented Jul 12, 2021

Feature Request

Describe alternatives you've considered

Additional context

pnbrown commented Jul 12, 2021

PushkarJ commented Jul 12, 2021

pnbrown commented Jul 12, 2021

joshrosso commented Aug 12, 2021

pnbrown commented Aug 24, 2021

pnbrown commented Aug 24, 2021

qnetter commented Aug 24, 2021 via email

joshrosso commented Sep 10, 2021

pnbrown commented Sep 10, 2021