Small changes to the Security Policy about accepting non-committers on the security channels

Hi devs,

We’ve had our first request for accessing our security channels at Asking for Security Access

After discussing with Ludovic Dubost and Guillaume Delhumeau we’re proposing the following small changes:

• Explain in the Security policy why the security channels are private (strangely it’s not explained)

• Improve the following text:

  Anyone can ask to get permissions to participate to XWiki Security topics by being added to the channels mentioned above (JIRA issues, Security chat, GitHub advisories, etc). To do so, you need to ask for permission by posting on the xwiki.org forum (in the Other category) and explain why you need access. XWiki Committers will decide whether you will get access or not.

  by changing:

  • Explain that the committers will evaluate who the person is in order to verify his/her legitimacy and ensure he/she is not a hacker/malicious user.
  • Ask the person to commit to respect the Security Policy, which essentially means not publicly disclosing non-public security information.

Note that we’ve discussed signing some NDA and the like but it’s too complex and we’re proposing to keep it simple.

WDYT?

Thanks

LGTM +1, thanks

+1

+1

Thanks,
Marius

+1

I’m not that convinced by that part, we don’t really define objective criteria of acceptance. Do we just want to check if the account asking for access is human and not a robot, or is there more to it?

Also, do we want to define some sort of response deadline? For instance, committing to answer in two weeks.

It’s about doing research on the person asking, to verify that they’re legit in their request to access the private security information before it’s released publicly.

Why make it more complex? It’s also not like we had 100s of requests every day It’s the time it takes to make the due diligence about the person asking. That can be 1 hour if it’s easy and we know the person already to several weeks if it’s hard to find information about the person.

In this case at hand it took a long time because there were holidays and it’s the first time we got a request so we had to discuss it internally. Next time, it shouldn’t take more than a few days.

Thanks

Thanks everyone, I’ve updated the security policy as follows:

https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/?viewer=changes&rev1=23.1&rev2=25.1&

Very interesting to see the updated security policy

Sharing knowledge on security issues in Open Source projects and the resulting (responsible) disclosure procedures are not easy. Sometimes you can only make it wrong - even if you do everything right. The EFail case is a well-documented example of that (EFAIL - Wikipedia). Drupageddon was another case that demonstrated how critical vulnerabilities in Open Source software can be and how crucial the disclosure process is: https://www.drupal.org Security Advisory.