CVE management process for Node.js about security-wg HOT 23 CLOSED

I think we should act as a CNA, if we have the bandwidth to do so.

from security-wg.

CNA seems like a reasonably good idea.

from security-wg.

Discussed in the TSC meeting today. Consensus was that we should try it out unless somebody objects in this issue in the next week (ie by Sep27th)

from security-wg.

@sam-github we have agreement to act as a CNA for Node core issues, I think we'd need to get further agreement as well as find people who are willing to do the work for third party modules before expanding the scope.

I suggest we start by ramping up to be a CNA just for node-core and then expand once we are comfortable with that.

from security-wg.

Submitted request for Node.js to become CNA and manage CVE's

First cut at CVE management process #60

from security-wg.

(edited to fix the link to the PDF)

from security-wg.

@nodejs/security, @nodejs/security-wg would be good to get input from a good number of people as we'll need a number of people to agree to help with the work required if we chose to act as a CNA.

from security-wg.

Acting as a CNA will also help us assigning CVEs to vulnerabilities in npm packages as well

from security-wg.

Just catching up after beeing out a few weeks.

It was mentioned here: #17 (comment) that HackerOne might be able to act as a CNA for us. Its another option to consider.

@dadinolfi any comments on pros/cons of that ?

from security-wg.

If you are a HackerOne customer, they can assign CVE IDs for vulnerabilities reported through their platform. If a vulnerability is disclosed outside of HackerOne, they may not assign for it, which then leaves you in a similar space as now. Some of HackerOne's customers are already CNAs themselves, and they and HackerOne have worked out who will assign for what and when.

from security-wg.

Talkin with @sam-github who re HackerOne we came to the conclusion we should probably become a CNA even if we end up using HackerOne.

@nodejs/tsc @nodejs/security @nodejs/security-wg Please comment if you have any objections to the project becoming its own CNA for CVEs.

from security-wg.

@dadinolfi I requested a CVE yesterday, just wondering if you can check if we'll get it soon ? At the same time we should probably agree on the next steps for us becoming a CNA as well.

from security-wg.

@dadinolfi I just requested a second one right now as well, wanted to let you know in order to avoid confusion as its the first one that I'd like to get ASAP for https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/

from security-wg.

@dadinolfi I received the second one but not the first one. If you can take a look at why we've not had a response on the first one that would be great.

from security-wg.

I'm looking into it.

from security-wg.

Our Content folks believe both requests had been replied to. Just in case:

CVE-2017-14849
and
CVE-2017-14919

from security-wg.

@mhdawson looks like there is general approval (and no objection) for us becoming a CNA. What are the next steps? What process needs to be put in place?

from security-wg.

From the MITRE side, we need the following four bits of information to proceed:

• The scope that the CNA would cover. For example, Microsoft's scope is "All Microsoft products". Yours might be something like "All actively-developed versions of software developed under the Node.js project".

• Public contact points. What email address or web address should we direct someone to who asks us for a way to contact you about CVE-related issues?

• Private contact points. We maintain a list of administrative contacts that we can reach out to directly in case there are issues that require immediate attention. This is typically one or more email addresses or a group mail alias.

• Email addresses to add to the CNA email discussion list. This is a closed mailing list that is used for announcements, sharing documents, or discussion relevant to the CNA community. The list rarely has more than ten messages a week.

Once I have these bits of information, I will ask the CVE Content Team to send you your initial block of CVE IDs. When you have a vulnerability to assign, you would take a CVE from that block, create the entry request (per Appendix B of the CNA Rules or using the JSON format described here: https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema ), and ask me to review it. I'll give you some feedback regarding the content and formatting. Once we are happy with it, you can submit it through the regular method (https://cveform.mitre.org/) or through the new GitHub-based process that I can set you up with.

Please let me know if you have any questions.

from security-wg.

@dadinolfi We definitely want to be a CNA for all projects administered by the Node Foundation, above info is great, thank you.

Can we, as well, be a CNA for thirdparty modules published to npmjs.org? If so, can we do it under the same CNA/block, or do we need a seperate application?

We will soon be accepting reports of vulnerabilities in these modules, it would be convenient to issue CVEs for them, even though the Node Foundation didn't write and publish those modules.

from security-wg.

@dadinolfi to confirm I have both CVE's thanks.

from security-wg.

If no one else has those modules as part of their CNA scope, there would be no barrier to you assigning CVE IDs to vulnerabilities disclosed in those. By including them explicitly in your scope, though, you'd be taking on the responsibility of being the one to assign CVE IDs for them for all cases, and other CNAs would send people looking for CVE IDs for those modules to you.

from security-wg.

I tried subscribing the email address you gave me to our cve-cna-list mailing list, but our mail server got a recipient rejected message when we tried to send to it. Is the address you gave me functioning?

Thanks.

-Dan

from security-wg.

Email aliases PR had not yet landed, all in place now.

Process has been documented so we should be good to go. Landing.

from security-wg.