commit 20433f04a5beb7252ff8fb215e8375fcf1a30575
author Joseph Reynolds <jrey@us.ibm.com> Thu Jan 10 12:51:28 2019 -0600
committer Patrick Williams <patrick@stwcx.xyz> Tue Apr 14 21:37:56 2020 +0000
tree 078588496d97de4f8da79e51d9c6b117f7e2cc9d
parent 267a0d683eb1f2cb28ecd50cbf61133c339ec0ed

Improve security response docs

This improves the security response team docs

This helps set submitter expectations and controls behavior.

This clarifies that the decision to spread information about reported
security vulnerabilities should be coordinated by security response
team members, and sets critera for that decision.

This corrects spelling errors.

This calls for an email notification when a new security
advisory is created.

Change-Id: I48edb4e819beadf41da2011f63eb9a2ec3dd4ec9
Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>

security/how-to-report-a-security-vulnerability.md

diff --git a/security/how-to-report-a-security-vulnerability.md b/security/how-to-report-a-security-vulnerability.md
index 9a304b4..7680936 100644
--- a/security/how-to-report-a-security-vulnerability.md
+++ b/security/how-to-report-a-security-vulnerability.md
@@ -9,27 +9,33 @@
    publicly available.
  - You want the problem fixed before public disclosure and
    you are willing to help make that happen.
- - You understand the problem will be publicly disclosed.
+ - You understand the problem will eventually be publicly disclosed.
 
 To begin the process:
- - Send an email to `openbmc-security@lists.ozlabs.org` with details
+ - Send an email to `openbmc-security at lists.ozlabs.org` with details
    about the security problem such as:
    - the version and configuration of OpenBMC the problem appears in
    - how to reproduce the problem
    - what are the symptoms
+ - As the problem reporter, you will be included in the email thread
+   for the problem.
 
-The OpenBMC security response team will respond to you and work to
+The OpenBMC security response team (SRT) will respond to you and work to
 address the problem.  Activities may include:
  - Privately engage community members to understand and address the
-   problem.
+   problem.  Anyone brought onboard should be given a link to the
+   OpenBMC [security response team guidelines][].
  - Work to determine the scope and severity of the problem,
-   such as [CVSS metrics](https://www.first.org/cvss/calculator/3.0).
- - Work to create or identify an existing [CVE](http://cve.mitre.org/about/index.html).
+   such as [CVSS metrics][].
+ - Work to create or identify an existing [CVE][].
  - Coordinate workarounds and fixes with you and the community.
  - Coordinate announcement details with you, such as timing or
    how you want to be credited.
  - Create an OpenBMC security advisory.
 
+Please refer to the [CERT Guide to Coordinated Vulnerability Disclosure][],
+(SPECIAL REPORT CMU/SEI-2017-SR-022) for additional considerations.
+
 Alternatives to this process:
  - If the problem is not severe, please write an issue to the affected
    repository or email the list.
@@ -39,3 +45,8 @@
    such as a customized version of OpenBMC), please report it and we
    will help you route it to the correct area.
  - Discuss your topic in other [OpenBMC communication channels](https://github.com/openbmc/openbmc).
+
+[security response team guidelines]: ./obmc-security-response-team-guidelines.md
+[CVSS metrics]: https://www.first.org/cvss/calculator/3.0
+[CVE]: http://cve.mitre.org/about/index.html
+[CERT Guide to Coordinated Vulnerability Disclosure]: https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf

security/obmc-security-response-team-guidelines.md

diff --git a/security/obmc-security-response-team-guidelines.md b/security/obmc-security-response-team-guidelines.md
index bf91d9b..76be9c0 100644
--- a/security/obmc-security-response-team-guidelines.md
+++ b/security/obmc-security-response-team-guidelines.md
@@ -2,9 +2,9 @@
 
 These are the guidelines for the security response team members
 including OpenBMC community members who are responding to problems
-reported by the [security vulnerability reporting process](./obmc-security-response-team.md).
+reported by the [security vulnerability reporting process][].
 
-The security response team coordinates activity to address privately
+The security response team (SRT) coordinates activity to address privately
 disclosed security vulnerabilities, engages resources to address them,
 and creates security advisories.
 
@@ -15,13 +15,14 @@
 
 Workflow highlights:
 
-1. Handle new problem reports
+1. Handle new problem reports.
     - Within a day, acknowledge you received the report.
       Note that reports are archived in the mailing list.
     - Communicate within the security response team, typically be
       cc'ing the openbmc-security email list.
 
-2. Analyze the problem
+2. Analyze the problem and engage collaborators as needed (upstream,
+   downstream, and OpenBMC).
     - Determine if the problem is new or known.
     - Determine if the problem is in OpenBMC.
        - If the problem is in a project that OpenBMC uses, re-route
@@ -31,17 +32,23 @@
     - Determine which OpenBMC areas should address the problem.
     - Draft a CVE-like report which includes only:
        * the vulnerability description: omit OpenBMC specifics
-       * [CVSS metrics](https://www.first.org/cvss/calculator/3.0)
+       * [CVSS metrics][] with explanations as needed
        * CVE identifiers, if known
     - Gather data for the security advisory (see template below).
-
-3. Bring in contributors as needed (upstream, downstream, and OpenBMC)
     - Use private channels, e.g., email.
     - Inform contacts this is private work as part of the OpenBMC
-      security response team.  For example, link these guidelines.
+      security response team.  For example, link to these guidelines.
     - Coordinate with all stakeholders and keep them informed.
 
-4. For OpenBMC problems:
+   Considerations in the [CERT Guide to Coordinated Vulnerability
+   Disclosure][] (SPECIAL REPORT CMU/SEI-2017-SR-022) may guide the process.
+
+   Example collaborations:
+    - Submit the problem to another security response team, for example, the
+      [UEFI Security Response Team (USRT)][].
+    - Privately engage an OpenBMC maintainer or subject matter expert.
+
+3. For OpenBMC problems.
     1. Determine if this is a high severity problem.  Example using
        CVSS metrics: a remotely exploitable or low complexity attack that has
        high impact to the BMC's confidentiality, integrity, or availability.
@@ -50,24 +57,34 @@
        process but limit the details in the issue or use a
        private channel to discuss.
     3. Negotiate how the code review will proceed.
-        - Consider [contributing](https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#submitting-changes-via-gerrit-server)
-          using a Gerrit [private change](https://gerrit-review.googlesource.com/Documentation/intro-user.html#private-changes) if everyone has access to Gerrit.
-        - Consider using [Patch set](https://en.wikipedia.org/wiki/Patch_(Unix))
-          emails to make reviews accessible to all stakeholders.
-    4. When agreed, publish a security advisory to
-       https://github.com/openbmc/openbmc/issues and email list
-       openbmc@lists.ozlabs.org.
-       Make the Gerrit review publicly viewable.
+        - Consider [contributing][] using a Gerrit [private change][] if
+          everyone has access to Gerrit.
+        - Consider using [Patch set][] emails to make reviews accessible to
+          all stakeholders.
+    4. When agreed:
+        - Publish a security advisory to
+          https://github.com/openbmc/openbmc/issues and email list
+          openbmc@lists.ozlabs.org.
+        - Make the Gerrit review publicly viewable.
+        - Email the Security Advisory to the OpenBMC community (see below).
     5. Improve OpenBMC processes to avoid future problems.
 
-## DRAFT Template: Initial response to the problem submitter
+[security vulnerability reporting process]: ./obmc-security-response-team.md
+[CVSS metrics]: https://www.first.org/cvss/calculator/3.0
+[UEFI Security Response Team (USRT)]: https://uefi.org/security
+[CERT Guide to Coordinated Vulnerability Disclosure]: https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf
+[contributing]: https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#submitting-changes-via-gerrit-server
+[private change]: https://gerrit-review.googlesource.com/Documentation/intro-user.html#private-changes
+[Patch set]: https://en.wikipedia.org/wiki/Patch_(Unix)
+
+## Template: Initial response to the problem submitter
 The OpenBMC security response team has received the problem.
 - Thank you for reporting this.
 - Share preliminary results of the analysis.
 - Share preliminary OpenBMC plans or that we are analyzing the problem.
 - Set expectations for follow-up communications.
 
-## DRAFT Template: OpenBMC Security Advisory
+## Template: OpenBMC Security Advisory
 ```
 OpenBMC Security Advisory
 Title: ...
@@ -77,14 +94,6 @@
 The CVSS score for these vulnerabilities is "...", with temporal score
 "...", with the following notes:
 https://www.first.org/cvss/calculator/3.0
-- AV:
-- AC:
-- PR:
-- UI:
-- S:
-- C/I/A:
-- E:
-- RC:
 
 The fix is in the https://github.com/openbmc/... repository as git
 commit ID ....
@@ -95,11 +104,29 @@
 Credit for finding these problems: ...
 ```
 
+## Template: Security Advisory notice
+When the Security Advisory is created, inform the OpenBMC community by
+sending email like this:
+
+```
+TO: openbmc-security@lists.ozlabs.org, openbmc@lists.ozlabs.org
+SUBJECT: [Security Advisory] ${subject}
+
+The OpenBMC Security Response team has released an OpenBMC Security Advisory:
+${url}
+
+An OpenBMC Security Advisory explains a security vulnerability, its severity,
+and how to protect systems that are built on OpenBMC.  For more information
+about OpenBMC Security Response, see:
+https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md
+```
+
 ## Reference
 Some of these guidelines were collected from:
  - https://bestpractices.coreinfrastructure.org/en/projects/34
  - https://www.kernel.org/doc/html/v4.16/admin-guide/security-bugs.html
  - https://oss-security.openwall.org/wiki/mailing-lists/distros
+ - [ISO/IEC 29147:2018 vulnerability disclosure](https://www.iso.org/standard/72311.html)
 
 ## Team composition and email maintenance
 
@@ -121,13 +148,12 @@
 
 The email list membership is not intended to be secret. For example,
 we can discuss it a public forum. However, no effort is made to make
-the list public.
+the list's membership public.
 
-The email list identification could be `for privately reporting
-OpenBMC security vulnerabilities` and its description could be: This
-email list is for privately reporting OpenBMC security
-vulnerabilities.  List membership is limited to the OpenBMC security
-response team.  For more information, see
+The email list identification is `for privately reporting OpenBMC security
+vulnerabilities` with description: This email list is for privately reporting
+OpenBMC security vulnerabilities.  List membership is limited to the OpenBMC
+security response team.  For more information, see
 https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
 
 Sample response for denying list membership: