'[ovs-discuss] increasing the "default" embargo period for vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvswitch-discuss
Subject:    [ovs-discuss] increasing the "default" embargo period for vulnerabilities
From:       blp () ovn ! org (Ben Pfaff)
Date:       2016-04-01 4:55:18
Message-ID: 20160401045518.GR28186 () ovn ! org
[Download RAW message or body]

On Wed, Mar 30, 2016 at 06:11:33PM -0300, Flavio Leitner wrote:
> On Wed, Mar 30, 2016 at 10:22:13AM -0700, Ben Pfaff wrote:
> > SECURITY.md currently says:
> > 
> >     A disclosure date is negotiated by the security team working with the
> >     bug submitter as well as vendors.  However, the Open vSwitch security
> >     team holds the final say when setting a disclosure date.  The timeframe
> >     for disclosure is from immediate (esp. if it's already publicly known)
> >     to a few weeks.  As a basic default policy, we expect report date to
> >     disclosure date to be 3~5 business days.
> > 
> > When we recently put an actual vulnerability through this process, we
> > discovered that this is far too short.  At VMware, for example, it takes
> > about 10 business days to put an NSX release through all of the internal
> > processes needed to make it available to customers.  A lot of that is
> > QA, but even if that were to be skipped (which would be difficult), 5
> > days is terribly short.
> > 
> > I realize that VMware is not at the forefront of efficiency here, but I
> > think that other downstream users of Open vSwitch are likely to have
> > enterprise-y schedules as well.  Probably, we are not yet aware of most
> > of these, but my guess is that since Open vSwitch is gaining a higher
> > profile we will start to see vulnerability reports regularly and other
> > enterprise software companies will start to sign up as downstreams.
> > 
> > I suggest that we increase our policy from 3-5 business days to 10-15.
> > 
> > Your thoughts?
> 
> Same issue here, ACK.

OK.  I brought this up here first because I wanted to give people a
chance to object before I posted a patch.  It's been over a day and no
objections (and your ack is reassuring; thanks!), so I posted a patch:
        http://openvswitch.org/pipermail/dev/2016-March/069005.html

I'll give that a day or so to percolate and gather acks.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic