From db9d61ed0722ae3e9cc94d13509b44ab03d993e1 Mon Sep 17 00:00:00 2001 From: James Bush <37296643+bushjames@users.noreply.github.com> Date: Wed, 17 Apr 2024 06:39:24 +0100 Subject: [PATCH] feat(coord-vuln-disclosure) add coordinated vulnerability disclosure policy doc (#431) * add coordinated vulnerability disclosure policy doc * first pass adjusting template to MLF * fix bad grammar copy/paste error * replace wikipedia ref with oss-vulnerability-guide ref * fix line breaks * attempt to fix build --- docs/.vuepress/config.js | 1 + docs/community/contributing/cvd.md | 304 +++++++++++++++++++++++++++++ package-lock.json | 48 +++++ 3 files changed, 353 insertions(+) create mode 100644 docs/community/contributing/cvd.md diff --git a/docs/.vuepress/config.js b/docs/.vuepress/config.js index 53030b6a..439b8530 100644 --- a/docs/.vuepress/config.js +++ b/docs/.vuepress/config.js @@ -105,6 +105,7 @@ module.exports = { ['contributing/new-contributor-checklist', 'New Contributor Checklist'], ['contributing/code-of-conduct', 'Code of Conduct'], ['contributing/signing-the-cla', 'Signing the CLA'], + ['contributing/cvd', 'Disclosing Security Vulnerabilities'], ] }, { diff --git a/docs/community/contributing/cvd.md b/docs/community/contributing/cvd.md new file mode 100644 index 00000000..025827a3 --- /dev/null +++ b/docs/community/contributing/cvd.md @@ -0,0 +1,304 @@ +# Disclosing and Receiving Information Regarding Security Vulnerabilities + +The Mojaloop Foundation and community take the security of Mojaloop software very seriously and operate a number of +processes intended to ensure Mojaloop is a secure platform for conducting business. Please see +our [documentation on cybersecurity architecture](../tools/cybersecurity.md) for more information. + +The Mojaloop Foundation operates +a ["Coordinated Vulnerability Disclose"](https://github.com/ossf/oss-vulnerability-guide/blob/main/finder-guide.md#what-is-coordinated-vulnerability-disclosure) +process which is a model whereby a discovered vulnerability or issue is disclosed publicly only after responsible and +effected parties have been given sufficient time to patch or remedy the problem. By operating this model, the Mojaloop +Foundation and community aim to minimise the potential impact of such issues on our adopters. + +## Mojaloop Foundation Coordinated Vulnerability Disclosure Policy + +The following sections define the requirements and expectations of various parties involved in the discovery and +remediation of security vulnerabilities in the Mojaloop software. All members of the Mojaloop community are expected to +comply with these policies regardless of which role they are playing in any particular scenario. Participation in the +Mojaloop community implies acceptance of and compliance with these policies. + +### Terminology + +The following definitions apply within the Mojaloop Foundation Coordinated Vulnerability Disclosure Policy: + +#### Terms from RFC 2119 + +The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and " +OPTIONAL" in this document are to be interpreted as described in RFC 2119. + +#### Terms from ISO, CERT + +The terms "Researcher" or "Reporter" in this document are intended to be consistent with the terms "Finder" and/or " +Reporter" as used in ISO/IEC 29147:2014(E) and the CERT® Guide to Coordinated Vulnerability Disclosure. + +### Reporters Policy + +Reporters MUST adhere to the following guidelines. + +#### General + +* Reporters MUST comply with all applicable local and international laws in connection with security research activities + or other participation in this vulnerability disclosure program. + +* Reporters SHOULD make a good faith effort to notify and work directly with the affected vendor(s) or service providers + prior to publicly disclosing vulnerability reports. + +#### Scope of Authorized Testing + +* Reporters MAY test The Mojaloop open-source software to detect a vulnerability for the sole purpose of providing The + Mojaloop Foundation information about that vulnerability. + +* Reporters SHOULD only test against test accounts owned by the Reporter or with explicit permission from the account + holder. + +* Reporters MUST avoid harm to the information systems and operations of The Mojaloop Foundation, its associates and + users of Mojaloop open-source software. + +* Reporters MUST make every effort to avoid privacy violations, degradation of user experience, disruption to production + systems, and destruction or manipulation of data. + +* Reporters MUST stop testing once that testing has established that a vulnerability exists, or sensitive data has been + encountered. Sensitive data includes personally identifiable information, financial information (e.g., account + numbers), proprietary information or trade secrets. + +* Reporters MUST NOT test any software or services not expressly contained in The Mojaloop open-source software Github + repositories, including any connected services. + +* Reporters MUST NOT exploit any vulnerability beyond the minimal amount of testing required to prove that the + vulnerability exists or to identify an indicator related to that vulnerability. + +* Reporters MUST NOT intentionally access the content of any communications, data, or information transiting or stored + on information systems belonging to The Mojaloop Foundation, its associates or users of Mojaloop open-source + software – except to the extent that the information is directly related to a vulnerability and the access is + necessary to prove that the vulnerability exists. + +* Reporters MUST NOT exfiltrate any data under any circumstances. + +* Reporters MUST NOT intentionally compromise the privacy or safety of The Mojaloop Foundation's personnel, customers, + the general public, users of the Mojaloop open-source software or any legitimate third parties. + +* Reporters MUST NOT use any exploit to compromise, alter, or exfiltrate data + +* Reporters SHOULD NOT establish command line access and/or persistence + +* Reporters MUST NOT exploit any vulnerabilities found to pivot to other systems. + +* Reporters MUST NOT intentionally compromise the intellectual property or other commercial or financial interests of + any The Mojaloop Foundation's personnel or entities, customers, the general public, users of the Mojaloop open-source + software or any legitimate third parties. + +* Reporters MUST NOT cause a denial of any legitimate services in the course of their testing. + +* Reporters MUST NOT perform physical access testing (e.g. office access, open doors, tailgating, or other trespass). + +* Reporters MUST NOT conduct social engineering in any form of The Mojaloop Foundation personnel its contractors, + associates, or user of the Mojaloop open-source software, their personnel, contractors or customers. + +* Reporters SHOULD contact The Mojaloop Foundation by email at [security@mojaloop.io](mailto:security@mojaloop.io) if at + any point you are uncertain of whether to proceed with testing. + +#### Coordination with The Mojaloop Foundation + +* Reporters SHOULD submit vulnerability reports to The Mojaloop Foundation via secure (encrypted) email + to [security@mojaloop.io](mailto:security@mojaloop.io). + +* Reporters SHOULD submit high quality reports. + +* Reporters SHOULD include sufficient descriptive details to permit The Mojaloop Foundation and/or the affected + vendor(s) to accurately reproduce the vulnerable behavior. + +* Reporters SHOULD NOT report unanalyzed crash dumps or fuzzer output unless accompanied by a sufficiently detailed + explanation of how they represent a security vulnerability. + +* Reporters SHOULD report other vulnerabilities found incidental to their in-scope testing even if those vulnerabilities + would be otherwise considered out-of-scope. For example, while testing an in-scope system the reporter finds it to be + exposing data from out-of-scope system. These are still reportable vulnerabilities. + +* Reporters MUST keep confidential any information about vulnerabilities discovered for 90 days after you have notified + The Mojaloop Foundation. Notwithstanding, this expectation does not preclude Reporters from simultaneously + coordinating the vulnerability report with other affected parties (vendors, service providers, coordinators, etc.) + +* Reporters MAY include a proof-of-concept exploit if available. + +* Reporters MAY request that their contact information be withheld from all affected vendor(s). + +* Reporters MAY request not to be named in the acknowledgements of The Mojaloop Foundation's public disclosures. + +* Reporters MUST NOT submit a high-volume of low-quality reports. + +* Reporters MUST NOT require The Mojaloop Foundation to enter into a customer relationship, non-disclosure agreement + (NDA) or any other contractual or financial obligation as a condition of receiving or coordinating vulnerability + reports. + +* Reporters MUST NOT demand compensation in return for reporting vulnerability information reported outside of an + explicit bug bounty program. + +#### Coordination with vendors + +* In the event that the Reporter finds a vulnerability in The Mojaloop Foundation open-source software consequent to a + vulnerability in a generally available product or service, the Reporter MAY report the vulnerability to the affected + vendor(s), service provider(s), or third party vulnerability coordination service(s) in order to enable the product or + service to be fixed. + +#### Coordination with others + +* Reporters MAY engage the services of a third party coordination service (e.g., CERT/CC, DHS CISA) to assist in + resolving any conflicts that cannot be resolved between the Reporter and The Mojaloop Foundation. + +* Reporters SHOULD NOT disclose any details of any extant Mojaloop Foundation open-source software vulnerability, or any + indicators of vulnerability to any party not already aware at the time the report is submitted to The Mojaloop + Foundation. + +#### Public disclosure + +* Reporters MAY disclose to the public the prior existence of vulnerabilities already fixed by The Mojaloop Foundation, + including potentially details of the vulnerability, indicators of vulnerability, or the nature (but not content) of + information rendered available by the vulnerability. + +* Reporters choosing to disclose to the public SHOULD do so in consultation with The Mojaloop Foundation. + +* Reporters MUST NOT disclose any incidental proprietary data revealed during testing or the content of information + rendered available by the vulnerability to any party not already aware at the time the report is submitted to + The Mojaloop Foundation. + +### Receivers Policy + +The Mojaloop Foundation SHALL deal in good faith with Reporters who discover, test, and report vulnerabilities or +indicators of vulnerabilities in accordance with these guidelines. + +#### General + +* The Mojaloop Foundation MAY modify the terms of this policy or terminate the policy at any time. + +* The Mojaloop Foundation SHALL use information reported to this program for defensive purposes only; to mitigate or + remediate vulnerabilities in the Mojaloop open-source software, Mojaloop Foundation networks, applications, the + applications of our vendors and those of users of Mojaloop open-source software. + +#### Case handling + +* The Mojaloop Foundation MAY, at our discretion, decline to coordinate or publish a vulnerability report. This decision + is generally based on the scope and severity of the vulnerability and our ability to add value to the coordination and + disclosure process. + +* In the event that The Mojaloop Foundation declines to coordinate a vulnerability report, the Reporter MAY proceed to + coordinate with any other affected vendor(s). Additionally, the Reporter MAY proceed with public disclosure at their + discretion. + +* The Mojaloop Foundation SHALL investigate every reported vulnerability and strive to ensure that appropriate steps are + taken to mitigate risk and remediate reported vulnerabilities. + +* The Mojaloop Foundation SHALL, to the best of our ability, validate the existence of the vulnerability + +* The Mojaloop Foundation SHALL determine an appropriate timeframe for mitigation development and deployment for + vulnerabilities reported in systems it controls. + +#### Coordination with reporters + +* The Mojaloop Foundation SHALL acknowledge receipt of vulnerability reports via email within 7 working days. + +* The Mojaloop Foundation MAY contact the Reporter for further information. + +* The Mojaloop Foundation SHALL inform the Reporter of the results of our validation, as appropriate, and accordingly + provide status updates as remediation of the vulnerability is underway. + +* The Mojaloop Foundation SHALL include credit to the reporter in any published vulnerability report unless otherwise + requested by the reporter. + +* In the event that The Mojaloop Foundation chooses to publicly disclose the reported vulnerability, The Mojaloop + Foundation SHALL recognize your contribution to improving our security if you are the first to report a unique + vulnerability, and your report triggers a code or configuration change. + +* The Mojaloop Foundation MAY forward the name and contact information of the Reporter to any affected vendors unless + otherwise requested by the reporter. + +* The Mojaloop Foundation SHALL forward the name and contact information of the reporter to the affected vendors unless + otherwise requested by the reporter. + +* The Mojaloop Foundation SHALL advise the reporter of significant changes in the status of any vulnerability he or she + reported to the extent possible without revealing information provided to us in confidence. + +* The Mojaloop Foundation MAY adjust its publication timeframe to accommodate reporter constraints if that timing is + otherwise compatible with this policy. In most cases such an adjustment would be expected to represent a delay rather + than an acceleration of the publication schedule. Examples include delaying publication to coincide with conference + presentations. + +* The Mojaloop Foundation SHALL NOT require Reporters to enter into a customer relationship, non-disclosure agreement + (NDA) or any other contractual or financial obligation as a condition of receiving or coordinating vulnerability + reports. + +#### Coordination with vendors + +* In the event that The Mojaloop Foundation determines the reported vulnerability is consequent to a vulnerability in a + generally available product or service, The Mojaloop Foundation MAY report the vulnerability to the affected + vendor(s), service provider(s), or third party vulnerability coordination service(s) in order to enable the product or + service to be fixed. + +* The Mojaloop Foundation SHALL make a good faith effort to inform vendors of reported vulnerabilities prior to public + disclosure. + +* The Mojaloop Foundation SHALL forward vulnerability reports to the affected vendor(s) as soon as practical after we + receive the report. + +* The Mojaloop Foundation SHALL apprise any affected vendors of our publication plans and negotiate alternate + publication schedules with the affected vendors when required. + +* The Mojaloop Foundation SHALL provide the vendor the opportunity to include a vendor statement within our public + disclosure document. + +* The Mojaloop Foundation SHALL NOT withhold vendor-supplied information simply because it disagrees with our assessment + of the problem. + +* The Mojaloop Foundation SHALL notify affected vendors of any public disclosure plans. + +* The Mojaloop Foundation SHALL NOT reveal information provided in confidence by any vendor. + +* The Mojaloop Foundation SHALL act in accordance with the expectations of Reporters set forth in this policy when + acting as a Reporter to other organizations (vendors, coordinators, etc.). + +#### Coordination with others + +* The Mojaloop Foundation MAY engage the services of a third party coordination service (e.g., CERT/CC, DHS CISA) to + assist in resolving any conflicts that cannot be resolved between the Reporter and The Mojaloop Foundation. + +* The Mojaloop Foundation MAY, at our discretion, provide reported vulnerability information to anyone who can + contribute to the solution and with whom we have a trusted relationship, including vendors (often including vendors + whose products are not vulnerable), service providers, community experts, sponsors, and sites that are part of a + national critical infrastructure, if we believe those sites to be at risk. + +#### Public disclosure + +* The Mojaloop Foundation SHALL determine the type and schedule of our public disclosure of the vulnerability. + +* The Mojaloop Foundation MAY disclose reported vulnerabilities to the public 7 days days after the initial + report, regardless of the existence or availability of patches or workarounds from affected vendors. + +* The Mojaloop Foundation MAY disclose vulnerabilities to the public earlier or later than 7 days due to extenuating + circumstances, including but not limited to active exploitation, threats of an especially serious (or trivial) nature, + or situations that require changes to an established standard. + +* The Mojaloop Foundation MAY consult with the Reporter and any affected vendor(s) to determine the appropriate public + disclosure timing and details. + +* The Mojaloop Foundation SHALL balance the need of the public to be informed of security vulnerabilities with vendors' + and users of Mojaloop open-source software need for time to respond effectively. + +* The Mojaloop Foundation's final determination of a publication schedule SHALL be based on the best interests of the + community overall. + +* The Mojaloop Foundation SHALL publish public disclosures via one or more of email, slack, and/or the Mojaloop + Community Central website. + +* The Mojaloop Foundation MAY disclose to the public the prior existence of vulnerabilities already fixed by The + Mojaloop Foundation, including potentially details of the vulnerability, indicators of vulnerability, or the nature ( + but not content) of information rendered available by the vulnerability. + +* The Mojaloop Foundation SHALL make our disclosure determinations based on relevant factors such as but not limited to: + whether the vulnerability has already been publicly disclosed, the severity of the vulnerability, potential impact to + critical infrastructure, possible threat to public health and safety, immediate mitigations available, vendor + responsiveness and feasibility for creating an upgrade or patch, and vendor estimate of time required for customers to + obtain, test, and apply the patch. Active exploitation, threats of an especially serious nature, or situations that + require changes to an established standard may result in earlier or later disclosure. + +* The Mojaloop Foundation MAY disclose product vulnerabilities 30 days after the initial contact is made, regardless of + the existence or availability of patches or workarounds from affected vendors in cases where a product is affected and + the vendor is unresponsive, or fails to establish a reasonable timeframe for remediation. diff --git a/package-lock.json b/package-lock.json index 5f19880b..febbf890 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11587,6 +11587,7 @@ "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz", "integrity": "sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==", "dev": true, + "peer": true, "dependencies": { "uc.micro": "^2.0.0" } @@ -11839,6 +11840,7 @@ "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.0.0.tgz", "integrity": "sha512-seFjF0FIcPt4P9U39Bq1JYblX0KZCjDLFFQPHpL5AzHpqPEKtosxmdq/LTVZnjfH7tjt9BxStm+wXcDBNuYmzw==", "dev": true, + "peer": true, "dependencies": { "argparse": "^2.0.1", "entities": "^4.4.0", @@ -11972,6 +11974,15 @@ "node": ">=16" } }, + "node_modules/markdownlint-cli/node_modules/ignore": { + "version": "5.2.4", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.4.tgz", + "integrity": "sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==", + "dev": true, + "engines": { + "node": ">= 4" + } + }, "node_modules/markdownlint-micromark": { "version": "0.1.8", "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.8.tgz", @@ -11984,6 +11995,43 @@ "url": "https://github.com/sponsors/DavidAnson" } }, + "node_modules/markdownlint/node_modules/entities": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/entities/-/entities-3.0.1.tgz", + "integrity": "sha512-WiyBqoomrwMdFG1e0kqvASYfnlb0lp8M5o5Fw2OFq1hNZxxcNk8Ik0Xm7LxzBhuidnZB/UtBqVCgUz3kBOP51Q==", + "dev": true, + "engines": { + "node": ">=0.12" + }, + "funding": { + "url": "https://github.com/fb55/entities?sponsor=1" + } + }, + "node_modules/markdownlint/node_modules/linkify-it": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-4.0.1.tgz", + "integrity": "sha512-C7bfi1UZmoj8+PQx22XyeXCuBlokoyWQL5pWSP+EI6nzRylyThouddufc2c1NDIcP9k5agmN9fLpA7VNJfIiqw==", + "dev": true, + "dependencies": { + "uc.micro": "^1.0.1" + } + }, + "node_modules/markdownlint/node_modules/markdown-it": { + "version": "13.0.1", + "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-13.0.1.tgz", + "integrity": "sha512-lTlxriVoy2criHP0JKRhO2VDG9c2ypWCsT237eDiLqi09rmbKoUetyGHq2uOIRoRS//kfoJckS0eUzzkDR+k2Q==", + "dev": true, + "dependencies": { + "argparse": "^2.0.1", + "entities": "~3.0.1", + "linkify-it": "^4.0.1", + "mdurl": "^1.0.1", + "uc.micro": "^1.0.5" + }, + "bin": { + "markdown-it": "bin/markdown-it.js" + } + }, "node_modules/md5.js": { "version": "1.3.5", "resolved": "https://registry.npmjs.org/md5.js/-/md5.js-1.3.5.tgz",