Versions Compared

Old Version 22

changes.mady.by.user Krzysztof Opasiak

Saved on

compared with

New Version 23

changes.mady.by.user Krzysztof Opasiak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Term  

Definition  

Embargo

A time period where vendors key ONAP stakeholders have access to details concerning the security vulnerability, with an understanding not to publish these details or the fixes they have prepared. The embargo ends with a coordinated release date (CRD). (adapted from source)

Subject Matter Expert (SME)

A developer or other specialist who can provide contextual information that helps to determine the validity and impact of a potential  security vulnerability.

Security SME

A security SME is a specialist who is familiar with the ONAP security vulnerability procedures and security in general.

Peer reviewed

In the context of a patch, the term peer reviewed refers to the patch having been reviewed by the ONAP vulnerability sub-committee and any other relevant key stakeholders. There is not yet a strict definition of the number   of people who need to have reviewed the patch, or how they provide sign off.

...

All ONAP projects are currently in scope for vulnerability support. The participants of the ONAP projects are expected to support the ONAP vulnerability procedures when required.

/Should be checked with tsc/

As ONAP is very young project with a lot of code coming in every release. Even through we are interested in receiving bugs for all ONAP releases that are currently in use, we will develop patches  ONLY FOR THE LATEST RELEASE and FOR THE MASTER BRANCH (next version under development) . Unfortunately ensuring security in very early stages of the project is not always possible, that is why we declare three first releases (Amsterdam, Beijing, Casablanca) as unsupported in terms of security bug fixes. Dublin is going to be first version that will be supported as described by above rule.

Third party components

Third party components (i.e. dependencies) are only in scope for security support if they are statically compiled or otherwise bundled by an ONAP project. Dynamically linked dependencies should patch security issues independent of ONAP.

...

  1. Create ticket with issue description in Vulnerability Reporting Jira Project (VMS members)
  2. Make the ticket publicly visible (VMS members)
  3. Assign the bug to one of VMS members
  4. Perform bug triage and CVE request if necessary (VMS coordinator)
  5. Send email containing triage results to ONAP TSC Chair and LFN representative /TSC should decide who is this contact point/(Kenny Paul and Jim Baker) 
  6. Rest of standard process should be followed, skipping embargoed disclosure step

...

  1. Make the related ticket publicly visible
  2. If a patch has been already proposed push it immediately to gerrit
  3. Skip embargoed disclosure.
  4. Send email confirming that issue has been leaked to ONAP TSC Chair and LFN representative /TSC should decide who is this contact point/LFN representative (Kenny Paul and Jim Baker)
  5. Rest of standard process should be followed and finished as soon as possible.

...