Comments (9)
For Google Cloud, the early access program would allow us to do testing and release patches expediently after community binaries.
from security-wg.
For us it would be, give us a platform where we configure a webhook which sends us information on early disclosure, including the following:
- Are the issues fixed critical?
- Has been touched a larger part of the logic or just a small change? This will decide if it goes to a manual review or not.
- The url to the new binaries
- PGP signing of the new binaries (the pgp signer should be known beforehand and should be officially stated somewhere)
- The (upcoming) CVE reference
- Description of the issues fixed
This would be quite enough, whenever possible including this into the process of automating the process of patching vulnerable pieces of software we enjoy when we don't need to poll this information, but get called instead. This would be the perfect solution for us at least :)
from security-wg.
IBM's customers use both the IBM SDK for Node.js as well as community binaries. In terms of an early access program it would best allow us to serve these customers if we could get the patches in advance so that we can incorporate them into the IBM SDK for Node.js such that it could be released on the same day as the community binaries are released.
from security-wg.
At NodeSource we have the a scenario very similar to the one @mhdawson outlined. Advanced availability allows us time to address any conflicts and still release expediently after the community binaries to reduce exposure to our customers.
from security-wg.
Sorry for the delay in this thread - I chatted with the various folks in Azure around what info they in general they prefer to have when planning engineering work around patches. Generally, the following are quite helpful:
-
Date/time the patch is expected to be made available, so Azure can plan for it. Is there an advanced time for some AND general availability, and if so, what are the conditions around the advanced patch (just for testing/prep for general availability, or does it allow early patching)?
-
Versions of Software being impacted (e.g. is this a problem just for current, or just for LTSB, or both?)
-
Does it only impact the software on a specific platform (x86 vs x86-64, Linux vs. windows, etc.)
-
Severity/ nature of issue being addressed, so azure knows how to prioritize and what actions may be called for (e.g. should they immediately patch and cycle all customer instances to make sure they are covered as soon as possible, or is it something Azure could hold off on until off peak hours per region)
-
Whether/when Azure can give their customers notice of a reboot should it be something that justifies immediate disruptive action
-
Regression risks, disruption risks (e.g. did an API behavior change? Is it likely to cause noticeable perf issues and if so in what context, etc.)
-
Are there mitigating actions distinct from the patch that either can, or should also be taken.
-
Are there clear, enforced repercussions for violating any embargoes (i.e. no need to worry about other participants zero-daying with the info, because they will get suspended from the program for some period of time)
Some things that are immediately apparent is that while a good deal of this info is clearly useful when making engineering decisions around a patch, much of it is also super helpful for adversaries if they were to get advanced notice (for example, if a specific API is being deprecated in a security patch, that gives a really good indicator where the problem is). If we were to make most or all of this info available to major consumers of Node in advance I think that would clearly require a criteria for who gets advanced access (just cloud providers? how is that defined? Platforms and OSes too?), and an NDA (not just generally, but specifically one that lays out how the info can be shared internally at these orgs. For example, sharing with Azure would not necessarily allow the Azure team to notify all of the teams using Electron at MS that they should patch).
from security-wg.
Let's find a champion regarding this.
from security-wg.
@mhdawson is there anything to discuss for this issue today? If not, can you remove the security-wg-agenda label until there is (it's been there since November 2017).
from security-wg.
Agreed, will remove and we can put back on once we make some progress.
from security-wg.
Closing because this seems to be stalled, or perhaps not needed. Please reopen if I'm mistaken.
from security-wg.
Related Issues (20)
- Permission Model adoption from Package Managers HOT 4
- Node.js Security team Meeting 2024-05-09
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- Node.js Security team Meeting 2024-05-23
- Node.js Security team Meeting 2024-06-06 HOT 4
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- Ping TSC on deps update not from GithubBot HOT 10
- [Bug]:use pm2 and --experimental-permission, throw Error: Access to this API has been restricted HOT 1
- Node.js Security team Meeting 2024-06-20 HOT 1
- Node.js maintainers: Threat Model HOT 1
- Node.js Security team Meeting 2024-07-04 HOT 4
- OpenSSF Scorecard Report Updated!
- spam
- Security Mailing List HOT 5
- Node.js Security team Meeting 2024-07-18
- OpenSSF Scorecard Report Updated!
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-wg.