Comments (9)
jbottum
commented on May 24, 2024
@akgraner would your team please add this to the next Kubeflow Security Team's meeting agenda ? thank you.
from kubeflow.
akgraner
commented on May 24, 2024
Sure thing! Thank you!
Sent from Gmail Mobile
β¦On Tue, Jan 2, 2024 at 9:48β―AM Josh Bottum ***@***.***> wrote:
@akgraner <https://github.com/akgraner> would your team please add this
to the next Kubeflow Security Team's meeting agenda ? thank you.
β
Reply to this email directly, view it on GitHub
<#7438 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABPJ3ZL3CM6HYJASWCGVPEDYMQT5HAVCNFSM6AAAAABBKFHD2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZUGE4TQMZTGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
from kubeflow.
thesuperzapper
commented on May 24, 2024
@akgraner @jbottum just following up here, did we get any updates from @psmoros?
Also, we probably need to set up a secure way for people to report issues (e.g. HackerOne, which we get free with the CNCF).
from kubeflow.
akgraner
commented on May 24, 2024
@thesuperzapper thank you for that suggestion. We are aware and are working with the CNCF to get an email address for that purpose.
from kubeflow.
akgraner
commented on May 24, 2024
@psmoros - Can you reach out to me and @juliusvonkohout via slack (akgraner) so we can set up a meeting with you an a couple other members of the security team. And can you also email us more information at [email protected] and [email protected] about the issue.
Our next security meeting is 16 January 2024. Below is the meeting information.
Join Zoom Meeting
https://us06web.zoom.us/j/87118537300?pwd=NG5ibWN0N2YxUGR5Y2NXSXRiN0FGZz09
Meeting ID: 871 1853 7300
Passcode: 273734
from kubeflow.
akgraner
commented on May 24, 2024
We are working with CNCF folks to get a policy and a reporting email in place. However, I'll see if we can get a reporting addresses sooner rather than later. Thank you.
from kubeflow.
thesuperzapper
commented on May 24, 2024
@akgraner many security researchers oppose using email disclosures for a number of reasons:
- Encryption: emails are inherently not secure and can be intercepted
- Phishing/Leaks: allowing security researchers to send arbitrary attachments is a recipe for it to get hacked (potentially exposing all the other pending vulnerabilities)
- Tracking: it can be unclear if the project has seen the disclosure, and so when it would be appropriate to publicly disclose if no action is taken (typically 90 days)
- Verification: it makes getting payments/recognition for anonymous disclosures impossible (we can't identify who's sending)
- Access Control: Enforcing access control on the triage end is very hard
- Standardization: we can't enforce any kind of structure to the report
Most large projects either use HackerOne or GitHub's in built disclosures feature.
from kubeflow.
akgraner
commented on May 24, 2024
I realize that. Itβs a temporary measure. Thanks!
Sent from Gmail Mobile
β¦On Wed, Jan 10, 2024 at 1:36β―PM Mathew Wicks ***@***.***> wrote:
@akgraner <https://github.com/akgraner> many security researchers oppose
using email disclosures for a number of reasons:
1. *Encryption*: emails are inherently not secure and can be
intercepted
2. *Phishing/Leaks*: allowing security researchers to send arbitrary
attachments is a recipe for it to get hacked (potentially exposing all the
other pending vulnerabilities)
3. *Tracking*: it can be unclear if the project has seen the
disclosure, and so when it would be appropriate to publicly disclose if no
action is taken (typically 90 days)
4. *Verification:* it makes getting payments/recognition for anonymous
disclosures impossible (we can't identify who's sending)
5. *Access Control*: Enforcing access control on the triage end is
very hard
6. *Standardization*: we can't enforce any kind of structure to the
report
Most large projects either use HackerOne or GitHub's in built disclosures
feature.
β
Reply to this email directly, view it on GitHub
<#7438 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABPJ3ZOOAJWIA3Q3KPGVTPDYN3UT7AVCNFSM6AAAAABBKFHD2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBVGU4DENBYGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
from kubeflow.
psmoros
commented on May 24, 2024
Thanks @akgraner will do :))
from kubeflow.
Related Issues (20)
- How to hide Artifact component from pipeline graph?
- ssl: none from centraldashboard to profiles which cause rbac access denied HOT 2
- [jupyter-web-app/backend] Error 500 when listing PodeDefaults using matchExpressions instead of matchLabels
- Maximum number of artifacts exceeded. How to aggregate artifacts from >100 ParallelFor iterations HOT 2
- Kubeflow Access Management API - is incomplete
- CSRF check failed. This may happen if you opened the login form in more than 1 tabs. Please try to login again.
- How to do container mount like '-v /path/a:/path:b' in kubeflow yaml component? HOT 1
- The pipeline running status is inconsistent with AWS Glue HOT 2
- Unable to configure a specific hostname for notebook-controller generated VirtualServices HOT 1
- profile-controller: adding contributors field
- container_component parameter check issue
- User sees shared pipelines in Private section in Central Dashboard while not being a contributor in any namespace
- Problem with google.cloud.logging and set_*_limit
- Intel GPU not in default GPU vendor list in Jupyter Notebook server HOT 2
- RStudio image ignores pod environment variables HOT 1
- [TRACKING] discussion & planning for future of `kubeflow/kubeflow` repo HOT 36
- when create profile,it need to pull image from internet,i need to switch it private registry HOT 3
- jupyter-web-app's `PodDefault` `configurations` are keyed by their label selector's key, not their name HOT 5
- Support non-Istio deployment, using Cilium support as a use case
- inferenceService can pull image directly HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubeflow.