OpenSSF Vulnerability Disclosures WG, 5 Jul 2023

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: OpenSSF Vulnerability Disclosures (July 5, 2023)

Description

Meeting minutes: https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA

Repo: https://github.com/ossf/wg-vulnerability-disclosures

A

B

It doesn't flag the parameter, though, as one of the sources does it.

C

Sorry repeat: that does.

B

It flag um does it, does it comment and flag the parameter as an as a as a source, or does it just tag the the usage of it just.

C

B

hmm um Interesting.

C

Do you want to tag uh the parameter itself.

B

Probably it's going to require some more rework on the inside of the damn thing in order to get that to work. But yes,.

C

B

B

I think, in order to do that, in order to support that um you'll need to um make sync flow instead of holding a cursor hold a data flow node.

C

Okay, I will take a look okay.

B

Let's join us Josh, it might just be you and I and Aaron over here.

D

B

Maybe we'll see.

D

Everyone's still recovering from fireworks, maybe apparently.

B

I'm I'm toast I was.

E

In uh Arizona, this.

B

Past weekend, nice how'd.

D

B

Was good and I was there for a wedding? It was a good time, good stuff.

F

C

B

B

Okay, it is the fifth.

B

Hello, Yesenia um hello, uh so let me.

A

B

So the um I should have done meeting notes, Here.

B

Fill in your attendance that would be lovely. Oh most of you have already great.

B

All righty, then so.

B

B

E

Certification there we go got it.

B

B

C

B

uh Somebody was working on um coming up with the Stories, the user story or the the case that not the case studies. The colon example scenarios.

B

um uh She wrote up a couple and she will be joining us in two minutes.

C

B

D

Did was it added to the document or.

B

F

B

Message with him, so she's chill I'll ask her to cover those when she she hops on the call perfect.

B

Did we end up having some something in here that satisfies Xavier's, request of having another extra or validate the.

B

Third party: well, he didn't actually add the requirement.

D

I may have missed or forgotten that conversation. If you want to briefly talk about what the um yeah.

B

Foundation yeah um zombies proposals that the change gets reviewed by another org to make sure that, like it's, compiling fixing all test cases like.

B

Basically, reviewing um you.

F

B

Somebody to review the changes just to verify that those changes look good.

D

And the changes would be the the remediated patches, the.

B

Diff yeah of some like not not like exact but like a general's example, set.

F

D

um I mean that makes sense, but do we have a specific org or would it be no.

E

D

B

B

Yeah this and remove this up.

A

B

B

Hey, we can't hear you Josh if you're saying things: oh, yes, uh so.

B

um This this thing down here, let me just let me update these I, don't need to fix source code, four five, six, seven.

G

E

You know I mean.

B

I love about that great.

B

Automatic effects campaigns should avoid okay or not one.

B

B

B

Free avoid patching test code exclusively.

B

um What about who.

B

B

And then to answer I guess to cover.

B

uh Xavier's right, it should be um 4.3. External review reveal.

A

B

In the engine invert, there is likelihood of bugs in the.

B

um Some example patches should be reviewed by a third.

B

um Where is that? What zombie was asking for.

B

uh Lost should do we care.

D

I think we'll leave it up to them in case by case.

B

In order is the likelihood of bugs in the generated attack. Some example patches should be reviewed by a third party for.

B

Before deplying that uh before deploying the campaign, uh okay, um thank you and then to cover.

C

E

A

B

B

Okay, all right, that's handled! So um that's uh silly.

G

B

um Good, so um do you want to discuss the cases that you wanted to propose for covering? In the example scenarios.

G

I, don't think I've created um for the last two I haven't finished it, but I can try to Pace it and then format it later. But this is what I have okay now, hopefully I won't warm. It.

G

Pasted it over another thing to see no.

B

You did not it's just bumping it down, I mean.

E

G

So honey help me.

G

Defeat um p.m: P VR um is able, then, in that case, um let's see the we can just like. Let them know about the vulnerability and fix it immediately and then the other one was if it's not unable and the issue is disabled and the disclosure email can be found um in this case, um we want to like create a public. Well, what I understood is that we create a public um pull request to notify the maintainer.

B

Yes, so if people have this differently and the vulnerability is not fixed after nine days, then create a public pull request. um Yes, that.

F

B

That's generally accurate.

G

Is there like other steps that we should behind.

B

Communication, the repository host has pmpvr wait pmpvr by the way the repository host wait where they're the maintain their Repository uh Repository does not have ampvr enabled and the vulnerable is not fixed after 90 days. Yeah. Incredible, pull request in this case.

B

In the case where the repository is not a pmpvr and after reaching out by uh both email and issued tracker, the vulnerability is not fixed. After 90 days, you can create a public pool, request yeah. So there's the Reach Out step that still occurs here on the right side.

C

B

um Or the Repository.

B

So, in the case where the repository host does not support pmpvr.

B

B

F

In the case of their posture host does not.

B

uh Does not support pmpvr then find security. Reporting email with the open, uh OS disclose check instead.

C

Of automated emails.

B

To request uh yes: well, so the repository host does not support pmbvr. So there's a difference here: the if the repository post doesn't support pmpvr, that's like GitHub, GitHub or gitlab, or bitbucket non-sporting pmpvr. So if the host doesn't support it, then they may spend the repository can't turn it on, because they mean because the the code base itself does like the the where.

C

B

Code is being hosted, doesn't support it so that that means.

G

We just leave it as this well.

B

If we can send on any emails, uh we can't request with Daniel pvm PVR. We send automated emails with the patch and.

E

G

And can you clarify what a Pash is.

E

B

um A patch it's um means two things kind of so in the general sense of patch means a contribution, um but a patch file which is dot p-a-t-c-h, is a standard format for defining um a diff that is like from what currently the code is the diff to what we want it to be um is a standard format of dot patch files um that uh tooling, like git and other other other things. Can you be be used to apply um get commits when you see the commits um commits are always in patch format.

B

So if you look at any commit on GitHub um yeah.

E

B

Yeah, so this this plus and minus format that you're seeing here I mean this is a parsed out version of it. But the there's a textual version of this format that that.

C

B

E

B

um In the case for repository house does not support, pmpvr then find the security reporting email with and send automated e email with the patch.

B

Find the security reporting emails.

B

And synonyms of the patch and indicate the splitter time on the four public policy Ocean or.

B

uh There won't be an existing issue yeah also, if they don't support pmpvr, then so yeah. So if the pmpvr is not enabled this case right um and the vulnerability is not fixed so earlier right, this might be um like pmpvr. Let's do this 3.1 Dot three.

B

uh Even TBR is not enabled.

B

F

B

Issue, detector, requesting PM, PVR enabled um and then 3.1 Dot 3.1 would be vulnerability, is not fixed.

E

B

uh If equivalent so then so like this is a subsection under three Dot one right. So let's say the vulnerability is not so. In this case, right uh pmpvr is not enabled in the case where the repositors not fpmpvr, uh enabled.

B

And after reaching out we'll have a viable email and the issue tracker.

C

B

Reach Out, viable email and the issue track requesting pmpvr be enabled. um The email will also include the patch with the fix or the vulnerability.

B

um Vulnerability is not fixed after not if the vulnerability is not fixed after 90 days, then create a public pull request.

B

Right, that's that's one case if the vulnerability is not fixed.

B

Let's see 3.1.3.1, let's just do this 3.1.3.

B

Pmpvr is enabled here within 90 days of contacting.

B

Empr is enabled report our.

B

That makes sense yeah.

B

And then email's not found emails bounced back, um this would be so emails emails are not found could be under. Pmpvr is not enabled right.

F

B

B

So, in this case, if emails are not found, 3.1 Dot well, hang on pmpvr is not enabled.

G

About they are unable, but we still can find that you know.

B

B

B

Yes, fine love, um okay, so in this case, if PMP have already nailed, the issues are enabled if.

A

Emails are not found.

B

B

If emails are not found, then we this in this case um public disclosure.

B

uh Well, it depends upon so the problem here is that it depends upon if, like um if the issue was previously opened right, um it.

F

Was like a matrix of events here.

B

You either use the existing issue or create a create a new one.

E

B

Are used to be existing come on foreign.

B

If emails are not found, wait 35 days from the.

C

B

Issue above having been created, then, if PM PBR is still not enabled public.

B

This actually is is true for both if, if emails are not found or emails, bounce back.

B

G

And this is the same scenario if it's unable like, if they have it, turned on, but we're not able to find the email. We'll still have to wait like 35 days well,.

B

If pmpvr is enabled, then we just use it right, so we don't check. We don't even need to check for emails if it's. If it's there.

G

Got it all right, let's create a public request, yeah yeah.

B

B

If pmpvr is not enabled, the issues are enabled.

B

Oh, this is interesting. What do we.

B

In the case that we have.

B

We'll throw balls, are your host, doesn't support PM or well? Okay, so the repository host doesn't support pmpvr.

B

Oh okay, wait Prosper, Sports bmvr here.

B

That's not true. Let.

E

B

B

If the okay, so if it doesn't work, if it doesn't support PM PBR, then you just go to the email route.

E

B

B

B

Here, you're not deported by repository host.

B

Right if the PMP version is not supported by the repository post,.

B

That assumes the emails are found.

B

B

B

Or emails all bounced.

B

Yeah I think that's accurate.

E

B

This all making sense to everybody in my my read through these real quickly.

D

Yeah, let me read through them.

B

All right, 3.1.1 pmpvr, is enabled in a case where the repository hosts, Sports pmpvr and the repository has its enabled then vulner, uh then the vulnerability and the fix will be provided immediately by a PM. Pbr um pmpvr is not enabled. Issues are disabled and disclosure. Emails can't be found in a case where the repository pmpvr is not enabled.

B

Issues are disabled and email is not found and then create a public pull request immediately.

B

Mpvr is not enabled, but emails are found and issues are enabled in the case for the repositories not a pmpvr, enabled Reach Out, viable email and the issue tracker requesting pm and PPR enabled email will also include the patch, with the fix for the vulnerability.

D

And 3.1.2 create a public pull request immediately. Are we submitting the patch with that one, or is it just the notification to enable pnpvr.

B

F

B

Units were not found, then you don't submit the patch because you don't want to because the issues are public.

D

Okay, so we are not submitting a patch or the vulnerability on point two. We.

B

Are only um we do so where pmpvr is not enabled the issues are disabled and the email is not found, then create a public pool request immediately. So that's that's a that. The public pool request is the fix with the disclosure of the details.

D

Okay, uh I, don't know if you want to just put that out. Just noting that it does include the there. You go.

D

um Publicly and create by creating.

D

F

E

B

um 3.1.3 pmpvr is not enabled, but emails are found and issues that are enabled and in case for the.

C

Processor does not have pmpvr enabled.

F

B

Email and hit the issue tracker requesting pmpvrv enabled the email also include the patch with default fiction for the vulnerability um 3.1.3.1, if pmpvr, if within 90 days of contacting the maintainers, if VR is, enabled contribute the patch by a private pull request, leveraging PMB VR um 3.1.3.2. If the vulnerability is not fixed after 90 days, then create a public pull request.

B

B

Pmpvr is not supported by the repository host in the case of the repositories does not support pmpbr if emails are found, find the security reporting emails with the open, SS expose check and send automated emails uh with the patch and indicate the disclosure timeline before pull request be opened it in the other case, emails are not found, or all emails bounce immediately publicly explosive vulnerability by public pull request.

B

3.1.5 pmpvr is not enabled the issues are enabled either create a new issue requesting pmpvr enabled or use uh an existing one. If one was created by a previous campaign by the same operator.

B

um And then 3.1.5.1.

B

um Emails are not found, or all bounced like 35 days from the issue above having been created, then, if pmpvr is still not enabled create a public pull request.

F

B

B

That handles the majority of the cases. Are there any like major cases that we're not handling or any of these other people are confused about.

D

Just for visibility, readability, the 3.1 3.2, maybe indentum, because when I first looked at them, I thought they were like more um so any of those sub sessions. Yeah there you go because then it just looked like a lot of different use cases which they are, but.

D

You know those are good. The one right under it.

D

And then scroll down, please.

B

D

D

On point five: three one: five: um is there a recommendation, you said either create a new issue or use an existing one.

D

um Do you recommend them just create a new issue so.

B

It doesn't overlap if a and, let's no, no, so you wanna yeah. So if, um if and issue was previously created,.

B

B

Is that issue otherwise very new issue, requesting pmpvr being able clear so prefer to use an existing issue so you're not spanning a maintainer? Otherwise, if you're an issue.

C

That makes sense: okay,.

G

Yeah, it makes no sense yeah.

G

It's always basically flagging the same issue to them again.

B

Yeah you're, basically reusing the same issues you're not having to.

G

um Recreate one okay.

B

B

D

After skimming it, it makes sense as far as additional use cases I think we've covered the majority of it.

E

D

um Maybe we can wait and get further feedback from other folks that may like hey what about this use case. But um what about the use case of archive repositories?

D

I think that was one that we had talked about last week and we forgot to yeah.

B

It needs to be yeah um three point, one point: six.

A

A

A

A

B

Lord, okay, Mr rosary's archive leverage. Openness is uh to try to find the.

B

A

A

B

Emails are not found.

B

B

Emails are found.

B

B

B

uh Emails are found, wait 90.

B

um And non-bounds and.

B

B

It's not fixed, follow 3.1.6.1.

B

How does that look.

D

I, like the redirect to the other.

A

D

It looks good to me.

E

Silly question: why do we care if it's, if the Reapers archived to still report it.

B

um That was an opinion from I was of the opinion that we should just just do nothing and or publicly disclose. It was the opponent opinion of Jordan her um that there may be repositories out there that um there may be. There may be repositories out there that um are archived, but the maintainers still care about.

B

C

B

Was that was the his the the assertion or the thought.

D

um Do we have any other special cases, I remember there was like one where we had to create a specialized Fork of it. If the maintainer didn't want to accept it, did we cover that case.

B

If the maintainer had opted out, you mean yes.

B

D

I mean these can go on forever for the different use cases, but.

B

Yeah, so the maintainer opted out.

A

B

Yeah we got on uh seven uh yeah.

B

Yeah, so this this one.

B

Is heading four, let me make sure there cross stories opted out.

A

B

Does that make sense? Are we yeah.

B

I'm wondering if, because we're mentioning this opt out.

D

A

D

Just redirect them to that section, if anything.

A

B

D

F

D

Like see, yeah.

B

Like a linking.

E

Kind of uh insert the link.

B

E

C

A

B

There's a question that I got about.

G

You have another one, but I don't know.

B

Yeah before it.

G

The the issue is closed or deleted without a response like should we like wait now 35 days so should we not even have that.

F

A

B

If the issue that's closed before the 90 before is closed without response or.

A

E

D

That one makes sense to me.

D

I think we're good. This was.

C

D

Different example scenarios um and then you could put at the end like for more specific details. Look at the sections below or something.

A

B

Okay, all right so that handles that.

E

B

B

I don't know, I think that we're in a good State here.

D

Yeah I think I think this document's ready to um move forward. um Do we know what the next step is.

B

um Miranda to the vulnerability work group, all right, so let me just reread the opening certain class is one of those are common wives, but I'm easily, detectable.

A

To automated tooling, additionally, menme.

B

Are easily detractable and fixes and the fix can be entirely automated. In these cases, the scope of the vulnerability is often beyond what can be reasonably reported to meet each maintainer privately in a one-on-one Exchange, essentially automated they created a creation of thousands of bug. Reports also isn't useful element um even more of our non-volunteer maintainers, of open social projects.

A

B

Further, it's often impractical to.

B

Her report, one really just scale across open source software following all desired disclosure.

B

Further adoption, practical and particles to privately report, one of those at scale across open source, while still following all maintain our desired disclosure mechanisms given uh multitude of vulnerability, reporting.

B

For example, some projects use cap security, advisories these email and still others use vulnerable exposure platforms. Background.

A

B

Josh this so does this handle your comment here.

D

uh Let me reread it really quick.

E

A

We definitely cover.

B

The limitations.

A

Of the existing mechanisms, um we cover the automation part. This.

B

Specification Center balance.

D

Yeah, that's probably good enough.

A

Maybe such as might be others or will be others in the future.

B

No I mean we're currently limiting an email, and you.

F

B

Security advisors, so by supporting a limited service, automated automatable disclosure mechanisms, the specification aims that started: balancing security, researchers and maintainers around at scale disclosure and fixed contributions.

D

I think it's referring to the statement above it says still, others used vulnerability, disclosure platforms and then.

A

D

A

You can just mark my common as resolved.

B

By setting up by supporting a limited set of automatable disclosure mechanisms, um this specification aims to strike a balancing security, researchers and maintainers around at that scale. Disclosure and security uh scale.

B

This specification describes our current events that must be satisfied for any campaign to be compliant any campaign. uh Any can can um any compliant campaign can attach the openness of compliant automated model disclosure badge to any communication or pull request issued.

A

B

B

F

B

E

B

um Coordinated on it, not automated private disclosure, yada yada, basically limiting it to like you know if it's new or novel, you better disclose privately, but if it's not new or novel, go for it. um Pirates closure. If you open, SF, closing provider Sports a pragmatic means of private disclosure, for example,.

A

B

Pmpvr's name is available from a housing provider and not enabled on the vulnerable repository than a public issue. Requesting PBR, HTTP, enablement, repository or organization must be requested, vulnerability itself must not be disclosed and they just didn't vulnerability.

B

Existence of accountability should be disclosed. Your campaign should consider how to minimize notification level of the maintainers.

B

Imagine 30 days of opening an issue requesting pmpvr enabled it's a human generator.

B

Well, this has changed now.

D

I do want to re, be respectful folks time we are over and.

B

I hope we are over okay, yeah yeah.

D

um Anything that I can do to help you with this Jonathan, so we can move it on to the vulnerability disclosure group.

B

B

No I think that I'm just gonna Focus this a little bit further just to make it clean it up a little bit and then um then move forward. um We can present it to the I mean when's. The next meeting.

D

I think it's sometime next week.

B

Yeah, it's probably Wednesday.

D

Yeah next Wednesday yeah.

B

I will um I will send this over to the um Alpha Mega staff to get them to review it and read it like um management um uh Brian ballador from such, like that.

E

Okay: okay, all.

B

D

All right, thank you. Everyone.

B

Yeah talk to you later.

A

See you everybody bye, bye thanks.