[yocto-security] new mailing list to discuss CVEs/security related issues

[Sona Sarmadi]

Hi guys,

Before broadcasting this to the yocto or openembedded-core lists, I would like to discuss some details with you guys since you are more involved in security/CVE updates in the Yocto. Please feel free to forward more people other lists if you think they should be notified. 


We have set up two security-related mailing lists: 
• Public List 
yocto-security at yoctoproject.org  
This is a public mailing list for anyone to subscribe to. This list is an open list to discuss public security issues/patches/ backport of CVEs etc .. inside the Yocto Project. Those who are active with security or want to be more involved in security, or are just curious and want to have some insight into the security work done within the Yocto project, please subscribe to this list and start using it!

To subscribe to this list go to:
https://lists.yoctoproject.org/listinfo/yocto-security   

• Private List 
security at yoctoproject.org (currently forwards to Michael Halstead and me)
For private security reports, to report and discuss sensitive vulnerabilities in open source products and packages in a secure way.


We need to have some internal process/policy/guidelines for dealing with security vulnerabilities, I will put the text below at Yocto Security page (https://wiki.yoctoproject.org/wiki/Security) so everyone can know how we deal with security inside the Yocto community. Please let me know what you think. Please feel free to add more info or remove anything you think is not relevant/correct.

A security vulnerability is detected: 
If you finds a security flaw; a crash, an information leakage or anything that can have a security impact if exploited in any Open Source packages used by Yocto Project, please report this to the Yocto Security Team. If you prefer to contact the upstream project directly, please copy security team at Yocto as well.
If you believe this is a sensitive information, please report the vulnerability in a secure way, i.e. encrypt email and send it to the private list.
This way, bad guys out there in the world cannot immediately take advantage of the flaw and exploit vulnerable systems.

What Yocto Security Team do when they receive a security vulnerability:
The team do quick analysis and report the flaw to the upstream project. Normally the upstream projects, research the problem and figure out if there really is a problem and how to deal with it. 

If they deem that it is a real security problem in their software, the project then mail the linux-distros mailing list and notify all the big Linux distributions/vendors about the existence of this vulnerability/flaw. These mailing lists are normally non-public. The project and people on the linux-distros then can agree on a release date when the flaw should be made public.
There’s also sometimes some coordination for handling patches or backporting of patches etc, or just understanding the problem or what caused it.

When the security issue is finally to be made public, normally upstream project is responsible to contact Mitre (cve-assign at mitre.org)  to get a CVE number assigned to it and copy other Opens Source Security mailing lists to inform the whole world of vulnerability.

If an upstream project does not response quickly:
If the upstream project does not fix the problem the Yocto's security team will contact linux-distros and community and together try to solve the vulnerability as quickly as possible. 
Normally big Linux vendors fix the problem if the problem affects their products.

Thanks
//Sona