-
Notifications
You must be signed in to change notification settings - Fork 453
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Responsible Vulnerability Disclosure Policy #225
Comments
Looks like someone already reported a vulnerable dependency in #174, let me know if reporting is supposed to be done in public issues on this Github repository. |
Sure, you can disclose it here as an issue |
Here is a list of some issues and possible mitigation that could reduce associated risks. Regarding webserver app, I noticed that:
|
Thank you for the report. Just a few comments:
|
Thank you for this answer. I'd like to elaborate a bit more on points 4. and 5. Lets say that we have student training on a OpenPLC powered lab, how can we restrict access to the underlying layer (I mean the OS layer of the server running OpenPLC) ? On a real PLC one can upload a program but should not be able to run code in OS, say VxWorks for instance (except in the presence of vulnerabilities). There is a difference between being able to change the program running on an OpenPLC server and being able to tell this same server to shutdown adding a short piece of code in PSM based on some Maybe OpenPLC could setup a minimal Role-Based Access Control feature to prevent specific users from using features allowing to take over the underlying operating system. What I mean is that there is a difference between a server administrator and an OpenPLC user. |
You don't have to write code on PSM to make OS system calls. You can write that straight in the PLC program itself by declaring C under pragmas. Many other vendors (with a more open mindset) like PCWorkx, TwinCAT and even CODESYS allow that type of thing as well, where users can declare C code or make syscalls. If the user is restricted even to upload a new PLC program because of that, then the PLC is useless. This is not about security or vulnerability. This is about openness, and that's the concept behind OpenPLC, to be open, without restrictions. Obviously that comes with a risk if one does not know what he/she is doing. With great powers comes great responsibility. In case of students, just place the OpenPLC Runtime inside a VM. Then you get the isolation you need. |
Hi,
First of all, thank you for this great project 👍
I'd like to report some security issues. I'm looking for a responsible vulnerability disclosure policy that I should follow to report these vulnerabilities in a responsible way.
Thank you
The text was updated successfully, but these errors were encountered: