Skip to content

Latest commit

 

History

History
54 lines (51 loc) · 2.91 KB

runbook-vulnerability-response.md

File metadata and controls

54 lines (51 loc) · 2.91 KB
Raw

Vulnerability response process runbook

This runbook can only be executed by a Tuleap Integrator. More details can be found in the vulnerability response guide.

  1. Intake
    • A report is received from an external source (e.g. an email to [email protected] or a support ticket from a customer)
    • The report is acknowledged within 3 (French) business days
    • If necessary, means of communication are defined with the reporter
  2. Assessment
    • Determine if the issue is a security issue or not
    • Reporter is informed of the result of the assessment
  3. Prepare the advisory
  4. Fix
    • Do the fix and publish it for review targeting the security branch on gerrit.tuleap.net in order to make the patch private (git push gerrit HEAD:refs/for/security%l=ReviewQueue+2)
    • The review and merge of the fix is made by another integrator using the standard procedure
    • If applicable, the reporter can be involved at this step notably to get feedbacks on the fix itself
  5. Backport to Tuleap Enterprise Edition supported releases
  6. Obtain a CVE ID
    • Create a new draft security advisory on GitHub using the template
    • Request the CVE ID on the draft GitHub security advisory
    • Update the artifact in the Tuleap Requests tracker with the CVE ID once it is assigned
    • Communicate the CVE ID to the reporter
  7. Notify ANSSI / CERT-FR if the vulnerability severity is High
  8. Public disclosure
    • The advisory in the Tuleap Requests tracker is made public
    • The GitHub security advisory is published
    • The issue is mentioned in the monthly Tuleap release notes
flowchart TD
    ER[External report] --> ACK[Acknowledge]
    ACK --> AS
    IR[Internal report] --> AS
    AS[Assessment] --> CV{Is it a vulnerability?}
    CV -->|No| R["Reject (can potentially be logged as a public bug/feature request)"]
    CV -->|More details needed| M[Request missing information from the reporter]
    CV -->|Yes| P[Prepare advisory]
    P --> SF[Submit fix for review in private]
    SF --> RM[Review and merge the fix]
    RM --> B[Backport fix to Tuleap Enterprise Edition]
    B --> CVE[Request CVE ID]
    CVE --> IS_SEVERE[Is the vulnerability severity High?]
    IS_SEVERE -->|Yes| AUTHORITIES[Notify ANSSI / CERT-FR]
    CVE --> PD[Public disclosure at the planned date]
    RM  -.-> PR(["Post-remediation activities
    Additional hardening,
    architecture changes to prevent future occurrence of similar issues..."])
Loading