...
<<This is a page to fill out the draft ONAP vulnerability management procedures. It will remain draft until it is approved>>
ONAP Vulnerability Management
Glossary
Term | Definition |
Embargo | A time period where vendors have access to details concerning the security vulnerability, with an understanding not to publish these details or the fixes they have prepared. The embargo ends with a coordinated release date ("CRD"). (from source) |
Subject matter expert | A developer or other specialist who can provide contextual information that helps to determine the validity and impact of a potential security vulnerability. |
Security SME | A security SME is a specialist who is familiar with the ONAP security vulnerability procedures and security in general |
Peer reviewed | In the context of a patch, the term peer reviewed refers to the patch having been reviewed by the ONAP vulnerability sub-committee and any other relevant key stakeholders. There is not yet a strict definition of the number of people who need to have reviewed the patch, or how they provide sign off. |
Security Response Procedure
...
Thank you for reporting a security issue to the ONAP vulnerability sub-committee. We have created a private security issue in JIRA to track this issue.
Please provide us with your JIRA username so we can add you to the issue.
All communications and decisions about how this issue will be handled will be recorded on this issue to provide proper tracking.
{jira_issue_url}Thanks
{ onap_vulnerability_ sub-committee _member}, on behalf of the ONAP vulnerability sub-committee Confirmed private security issues
...
{onap_vulnerability_sub-commitee_member}, on half of the ONAP vulnerability sub-committeeRoadmap
Action Items
Topic | Assignee | Description | Status |
organizational | Stephen | Send out a call for participation and form the ONAP vulnerability sub-committee | |
infrastructure | Phil | Create a private mailing list for vulnerability management sub-committee | |
organizational | Vulnerability committee | Elect a chair | |
infrastructure | Phil | Enable private security issues in JIRA | |
infrastructure | security sub-committee | Create a public page indicating contact information for the ONAP vulnerability sub-committee. | |
documentation | Stephen | Create a public page detailing the vulnerability management process and how to report security problems to ONAP | |
documentation | security sub-committee | Create a single page listing the security issues fixed in ONAP projects (advisories) | |
communication | security sub-committee | Ensure the new security process is announced on all major mailing lists. |
References
- Common Vulnerabilities and Exposure (https://cve.mitre.org/about/faqs.html )
- CVE numbering authorities (https://cve.mitre.org/cve/cna.html)
- CVE FAQ (https://cve.mitre.org/about/faqs.html#what_is_cve_identifier )
...