Re: Security WG meeting tomorrow after the TSC Call (10am central)
Hello Jim! I echo Ian’s comments.
From: <EdgeX-TSC-Security@...> on behalf of "Ian Johnson via Lists.Edgexfoundry.Org" <ian.johnson=canonical.com@...>
Thanks for starting on this. I have a few general comments on document #2 (the CVE/security process document).
I agree with Ian here. The recipients of the email will typically be a small subset of people, who will ascertain its validity, rank its criticality, and how soon a fix can be issued. Perhaps even call the team “vulnerability management” or something. My guess is each vendor/partner might want to have a representative here.
Any public disclosure is only after a fix is “in place” in production systems. Secrecy is key here. With the Specter and Meltdown bugs, an entire community spanning multiple companies worked under wraps to fix the issues over a period of 6 months. The public became aware of the issue only when patches were pushed to the Linux kernel. Note OpenStack followed an alternate review workflow for security patches. With IoT, the attack surface is even larger.
Once addressed, we document each such issue discovered, which releases it affected, how, and the fix/patch. This is public like all CVEs.
OpenStack gave a lot of thought to this, please see if these link help:
The security vulnerability team will be a rapid response team, but fixes may take longer than a week. It may be more meaningful to say the mail box will be monitored constantly, with coverage during member vacation spells.
Here a patch may require new containers to be posted including a patched OS or application as the case may be. We will need to determine whether it can be a “rolling” install (one that does not interrupt edge services) or one that does and if so how rapidly it can be applied.
On Tue, Mar 26, 2019 at 9:51 AM White2, James <James.White2@...> wrote: