* [SecurityworkGroup] Security response team - bug database needed
@ 2021-06-10 0:15 Joseph Reynolds
2021-06-16 13:08 ` krtaylor
0 siblings, 1 reply; 4+ messages in thread
From: Joseph Reynolds @ 2021-06-10 0:15 UTC (permalink / raw)
To: openbmc, krtaylor
This is a followup to a discussion in the security working group meeting
held 2021-06-09 agenda item 11.
The security response team has difficulty tracking reported security
vulnerabilities to closure and writing CVEs in a timely manner. Having
a confidential bug tracker would help.
Per Dick, the UEFI team uses bugzilla and has a restructured corner for
the security response team: anyone can write a bug, but only security
response team members can see it.
What are the best practices? How do we get a bug tracker which only
OpenBMC security response team members can read?
Joseph
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SecurityworkGroup] Security response team - bug database needed
2021-06-10 0:15 [SecurityworkGroup] Security response team - bug database needed Joseph Reynolds
@ 2021-06-16 13:08 ` krtaylor
2021-06-21 19:02 ` Joseph Reynolds
0 siblings, 1 reply; 4+ messages in thread
From: krtaylor @ 2021-06-16 13:08 UTC (permalink / raw)
To: Joseph Reynolds, openbmc
On 6/9/21 7:15 PM, Joseph Reynolds wrote:
> This is a followup to a discussion in the security working group meeting
> held 2021-06-09 agenda item 11.
>
>
> The security response team has difficulty tracking reported security
> vulnerabilities to closure and writing CVEs in a timely manner. Having
> a confidential bug tracker would help.
> Per Dick, the UEFI team uses bugzilla and has a restructured corner for
> the security response team: anyone can write a bug, but only security
> response team members can see it.
> What are the best practices? How do we get a bug tracker which only
> OpenBMC security response team members can read?
If I read this correctly, you are requesting a Bugzilla instance be
stood up to track security issues? Since we have no community project
budget to fund any type of hosting, nor any community interest to fund a
trust/budget, this would have to be a donated service. Maybe a
participating company would be willing to host and care for this service?
Alternatively, can the response team use a service that we already have?
Just thinking, I have no details, but maybe a new Github group/repo?
Kurt Taylor (krtaylor)
>
> Joseph
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SecurityworkGroup] Security response team - bug database needed
2021-06-16 13:08 ` krtaylor
@ 2021-06-21 19:02 ` Joseph Reynolds
2021-06-30 22:11 ` Patrick Williams
0 siblings, 1 reply; 4+ messages in thread
From: Joseph Reynolds @ 2021-06-21 19:02 UTC (permalink / raw)
To: krtaylor, openbmc
On 6/16/21 8:08 AM, krtaylor wrote:
> On 6/9/21 7:15 PM, Joseph Reynolds wrote:
>> This is a followup to a discussion in the security working group
>> meeting held 2021-06-09 agenda item 11.
>>
>>
>> The security response team has difficulty tracking reported security
>> vulnerabilities to closure and writing CVEs in a timely manner.
>> Having a confidential bug tracker would help.
>> Per Dick, the UEFI team uses bugzilla and has a restructured corner
>> for the security response team: anyone can write a bug, but only
>> security response team members can see it.
>> What are the best practices? How do we get a bug tracker which only
>> OpenBMC security response team members can read?
>
> If I read this correctly, you are requesting a Bugzilla instance be
> stood up to track security issues? Since we have no community project
> budget to fund any type of hosting, nor any community interest to fund
> a trust/budget, this would have to be a donated service. Maybe a
> participating company would be willing to host and care for this service?
Yes, I believe other security response teams use Bugzilla. I believe
that would work for OpenBMC. A Bugzilla hosted by one of the TSC member
companies works for me.
- Joseph
>
> Alternatively, can the response team use a service that we already
> have? Just thinking, I have no details, but maybe a new Github
> group/repo?
>
> Kurt Taylor (krtaylor)
>
>>
>> Joseph
>>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SecurityworkGroup] Security response team - bug database needed
2021-06-21 19:02 ` Joseph Reynolds
@ 2021-06-30 22:11 ` Patrick Williams
0 siblings, 0 replies; 4+ messages in thread
From: Patrick Williams @ 2021-06-30 22:11 UTC (permalink / raw)
To: Joseph Reynolds; +Cc: openbmc, krtaylor
[-- Attachment #1: Type: text/plain, Size: 650 bytes --]
On Mon, Jun 21, 2021 at 02:02:56PM -0500, Joseph Reynolds wrote:
> Yes, I believe other security response teams use Bugzilla. I believe
> that would work for OpenBMC. A Bugzilla hosted by one of the TSC member
> companies works for me.
Hi Joseph,
I think the point is that nobody is going to be interested in
maintaining the infrastructure to run a new Bugzilla instance. We don't
really have a great infrastructure story as it is.
We can create a private GitHub repository for this. Just need Brad to
do the right magic and maintain a GitHub group for all the members of
the security mailing list.
--
Patrick Williams
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-30 22:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-10 0:15 [SecurityworkGroup] Security response team - bug database needed Joseph Reynolds
2021-06-16 13:08 ` krtaylor
2021-06-21 19:02 ` Joseph Reynolds
2021-06-30 22:11 ` Patrick Williams
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).