A new resource for coordinated vulnerability disclosure in open source projects
One of the joys of open source is the freedom it gives you to create: contributors get to build the projects they want how they want; it’s up to them. Of course, blank slates don’t come with directions, which makes more niche areas of software development and management a challenge for contributors. Vulnerability disclosure is one of those areas.
Google doesn’t restrict its open source work to one team, instead we teach any and all Googlers about open source: how to release, how to contribute, how to use, and, in general, how to be a good open source citizen. This approach scales well, and gives people the knowledge to be lifelong open source community members. This includes sharing knowledge about open source security, a topic that isn’t new, but is finally getting the industry attention it deserves.
The intimidating blank slate and a lack of time for contributors to develop policies means many open source projects have no documented vulnerability reporting information, much less a plan for how to handle and disclose a reported vulnerability. We recently updated our guidance for coordinated vulnerability disclosure in open source projects that come out of Google and have published it in hopes that other projects will find this helpful for their project security practices.
The new guide has three sections:
- Setting up your vulnerability management “infrastructure”: The work you’ll want to do before an issue is reported.
- The vulnerability response process: Includes a runbook for when your project receives an issue.
- Templates: From SECURITY.MD to a public disclosure outline, all the communication pieces you need to handle an issue.
It’s a myth that if a project hasn’t received a vulnerability report yet, it doesn’t need a disclosure policy. It’s also a myth that you need to be “a security person” to implement a vulnerability disclosure policy. A successful coordinated vulnerability disclosure frequently comes down to good process management and clear, thoughtful communication. You don’t have to be an expert in operating systems capabilities to understand how a reporter manipulated it to cause an account privilege escalation through your project. A predetermined policy, some templates, and a well-executed runbook will take you through discovering, patching, and disclosing most kinds of vulnerabilities.
By Anne Bertucio, Google Open Source
Related Google News:
- Introducing Model Search: An Open Source Platform for Finding Optimal ML Models February 19, 2021
- New option to download third-party apps and domain wide delegation to CSV February 18, 2021
- New Calendar admin privilege hierarchy in the Admin console February 18, 2021
- New framework expands Google Cloud access globally February 18, 2021
- New in Google Cloud VMware Engine: improved reach, networking and scale February 18, 2021
- New to Google Cloud? Here are a few training options to help you get started February 17, 2021
- New private cloud networking whitepaper for Google Cloud VMware Engine February 17, 2021
- Databricks on Google Cloud: an open integrated platform for data, analytics and machine learning February 17, 2021