RFC00003 First version of a vulnerability disclosure policy

[axelsimon]

…as well as a description of our approach to embargoes + a first draft of an Enarx Security Advisories page.

Comments and improvements most welcome.

Closes #18.

[haraldh]

keybase nowadays provides public links to chat. https://keybase.io/<nickname>/chat
e.g. https://keybase.io/hellobot/chat

[axelsimon]

Uh, isn't it a bit strange that this is PR #19, when it should have been #4?

@haraldh That redirects to keybase://chat/hellobot, which my browser has no idea what to do with :)

[MikeCamel]

Not entirely happy about "attack us!". Maybe ("please let us know about vulnerabilities!")

[axelsimon]

I liked the idea of putting the same idea in more abstract terms and in more direct terms, which we have used out loud (hence the quotation marks). However, i agree that there must be a nice way to put it than just "attack us!".

[MikeCamel]

We have to decide if we're going to maintain public keys. Neither @npmccallum nor I currently does.

[axelsimon]

This is one of the big questions this document raises.

I'm warming up more and more to the idea of treating email like public channel, and using it (or the chat) to set up more secure communication channels. The question then becomes: what communication channel do we set up?

[MikeCamel]

Does Zulip have a way of managing this, by any chance?

[connorkuehl]

I'm not sure if this is exactly what you're looking for, but Zulip supports sending an email to a (private?) stream.

I am not sure if it's bidirectional though, so if the Enarx security council maintains a private stream and they receive a vulnerability disclosure, I am not sure if their responses into the stream will be relayed back by email to the security researcher.

I don't have enough data to know if Zulip is an appropriate place for this in terms of security and privacy.

[axelsimon]

That's a neat Zulip function, thanks for pointing it out. However documentation says nothing about PGP-encrypted email. This means that the email would be unencrypted until it reaches the Zulip server, at which point it's private (but not E2E-encrypted, as the Zulip server is able to relay the content of the email clearly to the stream). Furthermore, replies to the stream to the initial sender would also be unencrypted, as the Zulip server would not know which public PGP key to encrypt it to. So while cool, this is not really an option for us i fear.

[MikeCamel]

Suggest we close the Zulip thread here, as we've gone with Rocket.

[MikeCamel]

I'm now in contact with someone from the Github org to find out if there's something that they're working on that we could use (and the creation of which we could be help with).

[axelsimon]

That is excellent and would probably be a superior way to do this, if the feature is done right.

[MikeCamel]

Initial review.

[MikeCamel]

There's a distinction, but we should be careful.

[axelsimon]

A distinction in nature or in risk?
At the end of the day, i believe more and more strongly that we should treat email as a public channel, at least in terms of anything that might need confidentiality. It may not be entirely technically true, but it fosters the right attitude towards the levels of privacy and confidentiality one can expect from email overall.

[MikeCamel]

Agreed.

[mbestavros]

@axelsimon The PR being numbered #19 is because issues also count towards numbering. We've filed ~15 issues and 4 PRs, so this ends up being #19.

[axelsimon]

@axelsimon The PR being numbered #19 is because issues also count towards numbering. We've filed ~15 issues and 4 PRs, so this ends up being #19.

Makes sense. Thanks Mark.

[lkatalin]

This looks pretty good! I suggested a few changes. Also I assume we will work out what (non-email) channel to use for this before the RFC is approved, so I left that alone despite it being an outstanding issue.

[mbestavros]

I have two ideas for this, detailed below. Interested in others' thoughts.

[mbestavros]

I think it would be a good idea to specify that code changes get pushed to the repo and built before any embargo press lands. This would allow two things:

1. for us to directly specify the commit/version that patches the vulnerability in the press release, if we want (perhaps this is another thing we want to enforce?);
2. for people reading the disclosure to be able to migrate to that version immediately upon reading about it. We don't want them to come to our repo only to find that it's still building and won't be available for some period of time.

[axelsimon]

Good points. Incorporating them.

[mbestavros]

This looks reasonable to me. I've included a question inline, but one that doesn't necessarily imply any changes.

[mbestavros]

Do we have any desire to call out end-to-end encrypted Rocket.Chat as an option here?

[axelsimon]

It's mentioned at the end in the future ideas. The RFC is only in "proposed" state, so let's leave it as is for now, but i like the idea, and we may want to make it more explicit to use OTR when using Rocket Chat to inform the team of a possible security issue.

[haraldh]

LGTM