Security Vulnerability Management Process for SONiC Community

[zhangyanzhao]

This document outlines SONiC vulnerability reporting and management process.

[zhangyanzhao]

TSC members, can you please help to review and approve this PR? Thanks.

[eddieruan-alibaba]

Looks good to me.

[Yarden-Z]

Is there a template to report SONiC security issues?
Regarding security issues - do we want all security issues dealt with within 90 days? Critical item (CVSS > 9.0) might require a more immediate response if the item is highly critical and highly visible.

[adyeung]

Depends on the severity, 90 days may be too long for critical CVE, committee should come up with a timeline for each severity

[marvellgit]

issues open by security researcher are usually more time sensitive since tey want to publish their findings, so such issue need to prioritized. also need to understand if 90 day is acceptable in such cases ( it may be far shorter like 0/60 days)

[marvellgit]

issues in open code packages is different than sonic code issues, so i think we need to handle that differently
first such issues may have being fixed in later versions
i think we need to set a policy to work with open code

1. we need to score any open code package - based on security / frequency of fix / known issues ..
2. new open code can only used if "security" score is better that a predefine level
3. as part of sonic release need to update to last stable any open code with security issues

[marvellgit]

regrading security issues with hw , i believe it should be handled by odm , with the exception of kernel related fixed that apply to Debian

[marvellgit]

one additional note is that on optional feature possible mitigation an be to disable the functionality

[zhangyanzhao]

Depends on the severity, 90 days may be too long for critical CVE, committee should come up with a timeline for each severity

The 90 days is the longest waiting time from when a mitigation/fix is ready to provide enough buffer to patch their system whoever is concerned. Committee can further refine that timeline based on severity.

[zhangyanzhao]

issues in open code packages is different than sonic code issues, so i think we need to handle that differently first such issues may have being fixed in later versions i think we need to set a policy to work with open code

1. we need to score any open code package - based on security / frequency of fix / known issues ..
2. new open code can only used if "security" score is better that a predefine level
3. as part of sonic release need to update to last stable any open code with security issues

@marvellgit can you please elaborate a bit on "open code packages"? I do not quite understand your comments.

[marvellgit]

like frr or other linux project we use in sonic

[zhangyanzhao]

Is there a template to report SONiC security issues? Regarding security issues - do we want all security issues dealt with within 90 days? Critical item (CVSS > 9.0) might require a more immediate response if the item is highly critical and highly visible.

Security template will be defined later by security committee. The 90 days is the duration from date when mitigation is identified to vul expose date, overall, we expect the reported issues to be mitigated as soon as possible.

[zhangyanzhao]

Is there a template to report SONiC security issues? Regarding security issues - do we want all security issues dealt with within 90 days? Critical item (CVSS > 9.0) might require a more immediate response if the item is highly critical and highly visible.

Security committee can define a template if they want. The 90 days is the longest waiting time from when a mitigation/fix is ready, we expect the vulnerability is mitigated as soon as possible.

[zhangyanzhao]

@adyeung @balajib-cisco @eddieruan-alibaba can you please help to approve this PR if you are ok with the updated content? Thanks.