Proposal: HowTo handle security and other incidents
In #2359, Eric requested the email@example.com mailing list to allow users to send security incidents to the core developers.
While this is a great thing, we still need a followed and publicly documented procedure to handle such incidents.
Following is my proposal for such a process:
- Immediately auto-confirm the message OR manually confirm the message in no more than 24 hours
- Keep the initial communication very discrete.
- The response should include the internal issue ID.
- Check, if this a real bug and confirm the result to the original sender ASAP
- Assign a CVE Candidate Number
- This number is then publicly stated in the final announcement
- Prepare the patch using the private issue.
- Check if the patch have to be backported.
- It is important, that we explicitly state which versions / branches of Redmine are supported at a time.
- All supported versions have to be patched at the same time.
- Send an announcement to a semi-public list, which is aimed for developers trying to keep their systems clean. Do not immediately announce the security incident in every channel to allow admins to patch their systems in a reasonable time frame.
- This could be modeled like http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
- After about a week (?), create a public news entry stating at least
- the CVE ID
- Affected versions
- Solution / HowTo update or patch systems
- Also create blog posts, IRC messages, ... only after the grace period.
Also, there should be a GPG key boldly included into SubmittingBugs to allow the sender to encrypt the sensitive incident message and any communication with the devs.
Just for clarification, the initial response should not include the solution. It is just thought as a first conformation that the securoity team has received the notice and is looking at it.
Also here are some links how others handle this:
Eric, I just found the request for an announcement list, I told you about. It in the thread Security distribution list?
(We've already talked about this on IRC, but for the rest of the community:)
In in ideal world, this plan would be great. The problem is that Redmine's developer team is very understaffed right now (it's only me and Jean-Philippe committing code and with security access). With the fixed 24 hour deadline, that means that Jean-Philippe or myself would have to be "on call" at all times, and that is not something I am willing to do.
An automated reply might work; but we'd need to add more infrastructure to support it and as it is, I don't have access to the Redmine.org server. Maybe Jean-Philippe could set something up for it?
What I would recommend is to take this proposal and convert it into a wiki page with all the details of the policy. Then we can figure out what work is needed. The less work required for a developer, the better (e.g. direct links to create a CVE number, template emails to use when replying, etc).