Vulnerability Management

From iDempiere en
Jump to navigation Jump to search

Suggested process to manage a vulnerability

NOTE: This is the expected process to follow from responsible community contributors when exposing a vulnerability, of course is out of our hands if somebody prefer to disclose publicly the vulnerability in his blog, but we'll appreciate community members to follow this approach.

Phase 1 – Vulnerability Reporting, Acknowledgment, Validation, and Replication

  • Finder (internal or external) reports issue - see How to report a vulnerability
  • Acknowledgement
  • Validation
  • Assessment of status
  • Replication
  • CVSS scoring
    • Calculate the CVSS scoring - there is a public calculator
    • for details on how to fill the calculator values please check at cvss guide

Phase 2 – Vulnerability Resolution with workarounds, patches, and fixes

  • Developers work on a solution for the vulnerability
    • At this stage developers on the security mail list can decide to work close with the finder and other key developers of community

Phase 3 – Responsible Disclosure and call to action

Disclosure is conducted in phases – notifying increasingly larger number of organizations – until the final phase of general public disclosure.

The phased disclosure process mixes responsibility to critical internet infrastructure, our customers, our operating system partners, our forum subscribers, and our large deployment of software running on networks throughout the world.

The objective of a phased disclosure is to provide the opportunity to upgrade within a reasonable maintenance window to minimize rushed action and operational anxiety

Given that we’re an open source project, we are working to have all our vulnerability management processes published and all vendors and users aware.

Level One

  • Key Contributors (including responsible finder)
    • Formal notice and pre-release code snapshot as far in advance as possible
    • At least five business days in advance of the release of the public disclosure

Level Two

  • Software forum subscribers and Global security organizations
    • Written notice of the disclosure ~24 hours before planned release of the public disclosure and code

Level Three

  • General Public disclosure of the vulnerability, and release of patched versions

Bibliography: VulnerabilityManagementOSB.pdf