From ad7e65975b865ccac610e615fc663cc082b01803 Mon Sep 17 00:00:00 2001 From: alexey semenyuk Date: Thu, 17 Apr 2025 11:34:09 +0500 Subject: [PATCH 1/3] Update outdated SECURITY.md Signed-off-by: alexey semenyuk --- SECURITY.md | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 733a396b93..30d4e35f4b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,19 +2,10 @@ ## Reporting a Security Bug -If you think you have discovered a security issue in any of the Hyperledger projects, we'd love to -hear from you. We will take all security bugs seriously and if confirmed upon investigation we will -patch it within a reasonable amount of time and release a public security bulletin discussing the -impact and credit the discoverer. +If you think you have discovered a security issue in any of the Hyperledger projects, we'd love to hear from you. We will take all security bugs seriously and if confirmed upon investigation we will patch it within a reasonable amount of time and release a public security bulletin discussing the impact and credit the discoverer. -There are two ways to report a security bug. The easiest is to email a description of the flaw and -any related information (e.g. reproduction steps, version) to -[security at hyperledger dot org](mailto:security@hyperledger.org). +There are two ways to report a security bug. The easiest is to email a description of the flaw and any related information (e.g. reproduction steps, version) to [security at hyperledger dot org](mailto:security@hyperledger.org). -The other way is to file a confidential security bug in our -[JIRA bug tracking system](https://jira.hyperledger.org). Be sure to set the “Security Level” to -“Security issue”. +The other way is to file a confidential security bug in the repository's [security advisories page](https://github.com/hyperledger/firefly/security/advisories). Guidance can be found in the GitHub documentation on [privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). -The process by which the Hyperledger Security Team handles security bugs is documented further in -our [Defect Response page](https://wiki.hyperledger.org/display/SEC/Defect+Response) on our -[wiki](https://wiki.hyperledger.org). \ No newline at end of file +The process by which the Hyperledger Security Team handles security bugs is documented further in our [Defect Response page](https://lf-hyperledger.atlassian.net/wiki/spaces/SEC/pages/20283618/Defect+Response) on our [wiki](https://lf-hyperledger.atlassian.net/wiki). From 410cc4a1ede8e6458e26cde0aba972c56a3dfdb2 Mon Sep 17 00:00:00 2001 From: alexey semenyuk Date: Wed, 2 Jul 2025 22:01:33 +0500 Subject: [PATCH 2/3] Fix SECURITY.md Signed-off-by: alexey semenyuk --- SECURITY.md | 167 ++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 161 insertions(+), 6 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 30d4e35f4b..2afbd62501 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,11 +1,166 @@ -# Hyperledger Security Policy +# Hyperledger Firefly, an LF Decentralized Trust Project Security Policy -## Reporting a Security Bug +[LF Decentralized Trust Security Policy]: https://lf-decentralized-trust.github.io/governance/governing-documents/security -If you think you have discovered a security issue in any of the Hyperledger projects, we'd love to hear from you. We will take all security bugs seriously and if confirmed upon investigation we will patch it within a reasonable amount of time and release a public security bulletin discussing the impact and credit the discoverer. +## About this document -There are two ways to report a security bug. The easiest is to email a description of the flaw and any related information (e.g. reproduction steps, version) to [security at hyperledger dot org](mailto:security@hyperledger.org). +This document defines how security vulnerability reporting is handled in Hyperledger Firefly, an LF Decentralized Trust Project. +The approach aligns with the [LF Decentralized Trust Security Policy] . Please +review that document to understand the basis of the security reporting for Hyperledger Firefly. -The other way is to file a confidential security bug in the repository's [security advisories page](https://github.com/hyperledger/firefly/security/advisories). Guidance can be found in the GitHub documentation on [privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). +This vulnerability policy borrows heavily from the +recommendations of the OpenSSF Vulnerability Disclosure working group. For +up-to-date information on the latest recommendations related to vulnerability +disclosures, please visit the [GitHub of that working +group](https://github.com/ossf/wg-vulnerability-disclosures). -The process by which the Hyperledger Security Team handles security bugs is documented further in our [Defect Response page](https://lf-hyperledger.atlassian.net/wiki/spaces/SEC/pages/20283618/Defect+Response) on our [wiki](https://lf-hyperledger.atlassian.net/wiki). +If you are already familiar with the security policies of Hyperledger Firefly, and +ready to report a vulnerability, please jump to [Report Intakes](#report-intakes). + +## Outline + +This document has the following sections: + +- [Hyperledger Firefly Security Policy](#project-an-lf-decentralized-trust-project-security-policy) + - [Instructions](#instructions) + - [About this document](#about-this-document) + - [Outline](#outline) + - [What Is a Vulnerability Disclosure Policy?](#what-is-a-vulnerability-disclosure-policy) + - [Security Team](#security-team) + - [Discussion Forums](#discussion-forums) + - [Report Intakes](#report-intakes) + - [CNA/CVE Reporting](#cnacve-reporting) + - [Embargo List](#embargo-list) + - [(GitHub) Security Advisories](#github-security-advisories) + - [Private Patch Deployment Infrastructure](#private-patch-deployment-infrastructure) + +## What Is a Vulnerability Disclosure Policy? + +No piece of software is perfect. All software (at least, all software of a +certain size and complexity) has bugs. In open source development, members of +the community or the public find bugs and report them to the project. A +vulnerability disclosure policy explains how this process functions from the +perspective of the project. + +This vulnerability disclosure policy explains the rules and guidelines for +Hyperledger Firefly. It is intended to act as both a reference for +outsiders–including both bug reporters and those looking for information on the +project’s security practices–as well as a set of rules that maintainers and +contributors have agreed to follow. + +## Security Team + +The current Hyperledger Firefly security team is: + +| Name | Email ID | Discord ID | Area/Specialty | +| ---------------- | ------------------ | ---------- | --------------- | + + +The security team for Hyperledger Firefly must include at least three project +Maintainers that agree to carry out the following duties and responsibilities. +Members are added and removed from the team via approved Pull Requests to this +repository. For additional background into the role of the security team, see +the [People Infrastructure] section of the LF Decentralized Trust Security Policy. + +[People Infrastructure]: https://lf-decentralized-trust.github.io/governance/governing-documents/security.html#people-infrastructure + +**Responsibilities:** + +1. Acknowledge the receipt of vulnerability reports to the reporter within 2 + business days. + +2. Assess the issue. Engage with the reporter to ask any outstanding questions +about the report and how to reproduce it. If the report was received by email +and may be a security vulnerability, open a GitHub Security Advisory on the +repository to manage the report. If the report is not considered a +vulnerability, then the reporter should be informed and this process can be +halted. If the report is a regular bug (but not a security vulnerability), the +reporter should be informed (if necessary) of the regular process for reporting +issues. + +3. Some issues may require more time and resources to correct. If a particular +report is complex, discuss an embargo period with the reporter during which +time the report will not be publicly disclosed. The embargo period should be +negotiated with the reporter and must not be longer than 90 days. + +4. If necessary, create a private patch development infrastructure for the issue + by emailing the [LF Decentralized Trust Community Architects]. + +[LF Decentralized Trust Community Architects]: mailto:community-architects@lfdecentralizedtrust.org + +5. Request a CVE for the issue (see the [CNA/CVE Reporting](#cnacve-reporting) + section). + +6. Decide a date for the public release of the vulnerability report, the date + the embargo period ends. + +7. If applicable, notify members of the embargo list of the vulnerability, +upcoming patch and release, as described above. + +8. Publish a new (software) release in which the vulnerability is addressed. + +9. Publicly disclose the issue within 48 hours after the release via a +GitHub security advisory (see the [(GitHub) Security +Advisories](#github-security-advisories) section for details). + +## Discussion Forums + +Discussions about each reported vulnerability should be carried out in the +private GitHub security advisory about the vulnerability. If necessary, a private +channel specific to the issue may be created on the LF Decentralized Trust Discord server +with invited participants added to the discussion. + +## Report Intakes + +Hyperledger Firefly has the following ways to submit security +vulnerabilities. While the security team members will do their best to +respond to bugs disclosed in all possible ways, it is encouraged for bug +finders to report through the following approved channels: + +- Email the [LF Decentralized Trust Foundation security +list](mailto:security@lists.lfdecentralizedtrust.org): To report a security issue, please +send an email with the name of the project/repository, a description of the issue, the +steps you took to create the issue, affected versions, and if known, +mitigations. If in triaging the email, the security team determines the issue may be +a security vulnerability, a [GitHub security vulnerability report] will be +opened. +- Open a [GitHub security vulnerability report]: Open a draft security advisory +on the "Security" tab of this GitHub repository. See [GitHub Security +Advisories](#github-security-advisories) to learn more about the security +infrastructure in GitHub. + +[GitHub security vulnerability report]: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability + +## CNA/CVE Reporting + +Hyperledger Firefly maintains a list of **Common Vulnerabilities and Exposures +(CVE)** and uses GitHub as its **CVE numbering authority (CNA)** for issuing +CVEs. + +## Embargo List + +Hyperledger Firefly does **NOT** currently maintain a private embargo list. + +If you wish to be added to the embargo list, please email the [LF Decentralized Trust Foundation security +mailing list](mailto:security@lists.lfdecentralizedtrust.org), including the project name +(Hyperledger Firefly) and reason for being added to the embargo list. Requests +will be assessed by the Hyperledger Firefly security team in conjunction with the +appropriate LF Decentralized Trust Staff, and a decision will be made to accommodate or not +the request. + +For more information about the embargo list, please see the [Embargo List +section of the LF Decentralized Trust Security +Policy](https://lf-decentralized-trust.github.io/governance/governing-documents/security.html#embargo-list). + +## (GitHub) Security Advisories + +Hyperledger Firefly uses GitHub Security Advisories to manage the public +disclosure of security vulnerabilities. + +## Private Patch Deployment Infrastructure + +In creating patches and new releases that address security vulnerabilities, +Hyperledger Firefly uses the private development features of GitHub for security +vulnerabilities. GitHub has [extensive +documentation](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories) +about these features. From 041cd195f7a76c32391012c518e14b018bd768d6 Mon Sep 17 00:00:00 2001 From: alexey semenyuk Date: Fri, 4 Jul 2025 13:25:16 +0500 Subject: [PATCH 3/3] Add Enrique to security team Signed-off-by: alexey semenyuk --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 2afbd62501..ab56d1c16c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -52,9 +52,9 @@ contributors have agreed to follow. The current Hyperledger Firefly security team is: -| Name | Email ID | Discord ID | Area/Specialty | -| ---------------- | ------------------ | ---------- | --------------- | - +| Name | Email ID | Discord ID | Area/Specialty | +| ---------------- | ------------------------ | ---------- | ---------------| +| Enrique Lacal | enrique.lacal@kaleido.io | @enriquel8 | Everything | The security team for Hyperledger Firefly must include at least three project Maintainers that agree to carry out the following duties and responsibilities.