Security pre-disclosure mailing list

[Ingo Schommer]

Hello everybody,

SilverStripe is being used in many environments where security is crucial,

so we’re looking for ways to enable fast and solid responses to any known issues.

In addition to our existing security release process, we’d like to introduce a pre-disclosure mailing list.

Members in this list will receive a security pre-announcement as soon as it has been sufficiently researched,

alongside a timeline for the upcoming release. This will happen a few days before 

the announcement goes public alongside new release, and most likely before a patch has been developed.

Since we’ll distribute sensitive info on unpatched vulnerabilities in this list,

the selection criteria for joining naturally has to be strict.

We’re thinking of making it invite only based on references from other list members,

combined with a demonstrated need for this level of information (e.g. a large website with sensitive customer data).

You don’t need to be a client of SilverStripe Ltd to get on board, 

but we will need to perform some low-touch background checks to ensure identity.

Regardless of this list, our aim continues to be a fast response time on security issues,

this just adds another channel for making people aware of upcoming events.

Do you think that’s a workable balance between openness and information security?

It seems to work for other communities like Django.

Thanks

Ingo

[Ronald van Raaphorst]

Hello Ingo,

Even though I’m not very active in this group, I read the messages with interest whenever I can.

I think this is an excellent idea.

Unfortunately, few of my clients pay for updates (yes I have to change that) so there will

always be non patched installations… 

Could we integrate security updates of plugins somehow too? I think that for other systems like WordPress

and Joomla, the base code may be pretty ok, but the plugins do not keep up and provide most of the security holes.

Ronald

PS: Keep up the good work! Thumbs up!

--
You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-d...@googlegroups.com.
To post to this group, send email to silverst...@googlegroups.com.
Visit this group at http://groups.google.com/group/silverstripe-dev.
For more options, visit https://groups.google.com/groups/opt_out.

[g4b0]

+1 Nice idea, I also agree with Ronald in including security updates of plugins.

g4b0

[Lamin Barrow]

Hi Injo,

I welcome this idea and this is just in time. Recently, i have been working on devesigner.com and a few security related things did come up and the discloser of which would probably expose some sensitive vulnerablitities in the underlying framework. I have built quite a few member related websites with SS and i think i have input for such a list.

Lamin

[Loz Calver]

Hey Ingo,

This sounds like a good solution to me. Ensures sensitive info is kept behind closed doors, while allowing (selected) devs to discuss the issue openly/chime in with suggestions for fixes.

As for security updates for plugins, it's much easier said than done - many third party libs included in the framework have already been patched to fix bugs/add extra features, so it's not a simple drop-in update for most of these. That said, I think we could do with running through the framework and finding thirdparty software that's no longer maintained (a recent issue highlighted the need for this) and making a push at some point soon to switch to other bits of software where possible. It's a huge task though, which is why the distributed jQuery version is still an older one.

@Lamin, rather than waiting for this list to be set up, you should email secu...@silverstripe.org with any info you can provide.

Loz

On Tuesday, February 11, 2014 9:49:40 PM UTC, Ingo Schommer wrote:

[swaiba]

+1 - very interested in this

On Tuesday, February 11, 2014 9:49:40 PM UTC, Ingo Schommer wrote:

[Mansi]

+1 - interested in this.

--

You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-d...@googlegroups.com.
To post to this group, send email to silverst...@googlegroups.com.
Visit this group at http://groups.google.com/group/silverstripe-dev.
For more options, visit https://groups.google.com/groups/opt_out.

--
Mansi Sheth
0430 000 390

[Aram Balakjian]

+1 - This would be great

On Tuesday, February 11, 2014 9:49:40 PM UTC, Ingo Schommer wrote:

[Nedmas]

Hey Ingo,

Sounds like a very sensible solution to providing updates on such sensitive topics.

Any steps to improve communication and security get my vote.

Cheers,

Tom

[Gerry Silva]

Ingo

I am releasing a cloud application based on the silverstripe framework.
My customers will enter financial info that should be secured.
Can you kindly include me in any future security updates.
Thank you in advance.

Sites: bizerv.com and survey.bizerv.com

Regards
Gerry Silva
Mobile/Cell Phone +61403 284 202
silva...@gmail.com

--
You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-d...@googlegroups.com.
To post to this group, send email to silverst...@googlegroups.com.
Visit this group at http://groups.google.com/group/silverstripe-dev.
For more options, visit https://groups.google.com/groups/opt_out.

---

This email is free from viruses and malware because avast! Antivirus protection is active.

[Carlos Cordero]

Hi everyone,

At Room9 we have rolled maintenance plans for clients under which patching and upgrading are made to happen.

Security has played a part in the conversations we had with our clients.  They want their infrastructure to be kept secure.   

In order to be able to do so, having a closed list in which we who make-it-happen and kept abreast of "security related developments" is a sensible idea. It gives our community a process by which those who need to know are kept in the loop.  It is a good organisational practice especially when considering that we are a "loose" type or organisation (SilverStripe in the middle and the rest in orbit)

I agree that people in that mailing list will have to be vetted and I would advise that it should be not be "light-handed".  I am not saying GCSB level vetting but SilverStripe needs to know it can trust the people on the list to keep the information confidential and not to disclose it.  The members of the group should be able to trust that all members will comply with any rules. 

A workable balance can be achieved and I also trust that our community can keep the balance in the long run as stresses bears on one end or the other of the pole.

Carlos Cordero

Room9

[Daniel Hensby]

Hi Ingo,

I think this is a great idea. Also, it'd allow more community based discussions around reporting potential bugs too. At the moment that's a very internal process when an issue is emailed to the security mailing list.

Dan

[Carlos Cordero]

Yes, provided we keep those debates about vulnerabilities within the subset of members who have been vouched for and belong to the mailing list.

Having said that, on the wider SilverStripe community, we need everyone to know how to properly report a bug and what the procedure, is so some sort of blogging about the activities of the security subgroup is well merited.

Nice point, Dan.

[Daniel Hensby]

Exactly

[Ralph Slooten]

I agree with several of the comments here, and the "vouch for" approach would probably be the wisest to filter out potential script kiddies etc.

Great idea, I'm totally for it.

Regards,
Ralph

--

[Will Morgan]

Count me in.

On Tuesday, 11 February 2014 21:49:40 UTC, Ingo Schommer wrote:

[Martimiz]

Yes please :)

--

[SHASHIKANT VAISHNAV]

Sounds great !

--

Thanks & Regards
Shashikant Vaishnav
Developer at ClickHereMedia.co.uk

Intern at Google Summer of Code
http://about.me/shashitechno

[UndefinedOffset]

Ya count Webbuilders Group (sup...@webbuildersgroup.com) in as well

[Cam Findlay]

Yip, please add me Ingo :)

On Wednesday, 12 February 2014 10:49:40 UTC+13, Ingo Schommer wrote:

[Jeremy Thomerson]

I was waiting to reply to see what others thought of the idea. It seems like everyone is in favor. I would like to be included on the list when it is set up.

Jeremy Thomerson

--

[James Pluck]

+1 from Courage Web Solutions.  

I agree with the comments made by Carlos also.  I think the vetting needs to be reasonably strict.  Best results would be releasing a patch before the public is aware of the vulnerability and the only way to do that is communication among a trusted group to resolve the problem.

Kind regards

James Pluck (BSc, AIITP)

Director
--
Courage Web Solutions Ltd
P: +64-7-929 4960
M: +64-21-236 6900
E: ja...@courage.co.nz

W: www.courage.co.nz

[Conrad Dobbs]

I'd definitely been keen to be notified of any security issues. Please add Web Torque (sup...@webtorque.co.nz) 

[xini]

+1. Please add us too (support at innoweb dot com dot au). Thanks.

[Nelamid DD]

Please count me in.

On Fri, Feb 28, 2014 at 12:32 AM, xini <floria...@innoweb.com.au> wrote:

+1. Please add us too (support at innoweb dot com dot au). Thanks.

[Ingo Schommer]

Hey guys, I haven't documented this process in the right places yet,

which meant the current security release didn't get a preannouncement.

I've sent it out now, sorry for the delay.

[bauke]

Please add me too, thanks!

[hubertusanton]

Hi Ingo,

Could I be added to the list?
ba...@30.nl

Thanks,

Bart

[Martimiz]

Hi Ingo

Just to make sure - is that list already in effect? And if so, how can one tell one is on it? :)

Thanks, Martine

[Hamish Friedlander]

Just to make sure - is that list already in effect? And if so, how can one tell one is on it? :)
Thanks, Martine

It's in a sort of alpha-test state. There's a list and we're posting pre-disclosure notices to it, but we're heavily backlogged on figuring out what's needed to get on the list. We need it to stay fairly small & controlled if it's going to be better than just immediate public disclosure. We've got to "we personally know the requester and agree internally that it's reasonable to add them", but not much further, and even that's messy & prone to missing people. To quote Ingo,

We’re thinking of making it invite only based on references from other list members, combined with a demonstrated need for this level of information (e.g. a large website with sensitive customer data).

We also don't currently have a manageable or documented method for providing evidence of identity or requirement when requesting access (just having everyone say "me too" on this thread isn't practical or secure) or checking if you're subscribed once accepted.

It's likely that for most people, simply knowing there's a pending security issue or release is enough, without needing any details, so we might start posting heavily censored notices to this list or silverstripe-announce, which will help limit the effort of validating people for the pre-disclosure list.

It's still under active development, and there's obviously community demand. We'll contact those who have expressed interest but are not yet added once we have more details. Please bear with us while we figure it out.

Hamish Friedlander

 

[Ingo Schommer]

Regarding the pre-announce list, we've been called out that the recent security releases in 3.1.7 haven't been preannounced.

They were both classified as "low severity", which is why we skipped this step - but that assumption isn't documented anywhere.

I would suggest that anything classified as "low" or "moderate" would not receive a pre-announce, in order to keep the list relevant to "important" and "critical" severity only, which likely require review or action prior to the public announcement.

Our severity levels are documented on http://doc.silverstripe.org/framework/en/trunk/misc/release-process#security-releases#severity-rating

Thoughts? Happy to document this on http://doc.silverstripe.org/framework/en/trunk/misc/release-process#security-releases#pre-announce-mailinglist if we reach an agreement.

On Wednesday, February 12, 2014 10:49:40 AM UTC+13, Ingo Schommer wrote:

Hello everybody,

SilverStripe is being used in many environments where security is crucial,

so we’re looking for ways to enable fast and solid responses to any known issues.

In addition to our existing security release process, we’d like to introduce a pre-disclosure mailing list.

Members in this list will receive a security pre-announcement as soon as it has been sufficiently researched,

alongside a timeline for the upcoming release. This will happen a few days before 

the announcement goes public alongside new release, and most likely before a patch has been developed.

Since we’ll distribute sensitive info on unpatched vulnerabilities in this list,

the selection criteria for joining naturally has to be strict.

We’re thinking of making it invite only based on references from other list members,

combined with a demonstrated need for this level of information (e.g. a large website with sensitive customer data).

[Simon J Welsh]

The problem I see here is that things classed as low or moderate may actually be rather critical for some sites (I see the file listing disclosure as something that’d be rather bad in some situations). Just because they fit low or moderate doesn’t mean that they’re low impact.

> --
> You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-d...@googlegroups.com.
> To post to this group, send email to silverst...@googlegroups.com.
> Visit this group at http://groups.google.com/group/silverstripe-dev.

> For more options, visit https://groups.google.com/d/optout.

---
Simon Welsh
Admin of http://91carriage.com/ – Specialised SilverStripe hosting

[Carlos Cordero]

Room9’s response to the suggestion “...that anything classified as "low" or "moderate" would not receive a pre-announce...”.

(1) In principle, we always prefer to be aware of all security related issues, not just a subset.  

(2) As you are using SilverStripe’s definition of degree’s of severity we have looked at it again and we are concerned that your point of view is quite different to ours.  Having different points of view is perfectly normal but the outcome is that we will have different priorities regarding the severity of issues.

(3) Seeing (2) is likely to be true for most of us involved in this group, Room9 would feel more comfortable with regards to the assessment of the severity of vulnerabilities if SilverStripe were to use an industry standard vulnerability scoring system such as the Common Vulnerability Scoring System (CVSS) http://www.first.org/cvss/cvss-guide.pdf and its Common Vulnerability Scoring System Version 2 Calculator http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 .  This are the systems and criteria use to score CVEs and are free to use and require no affiliation to its governing bodies.

(4) If the use of CVSS were to be incorporated, then it would take very little additional effort for SilverStripe to be able to release CVEs.  That would put SilverStripe on a higher level for maturity and transparency and increase its appeal.

Conclussions:

A) We disagree with the suggestion of only pre-announcing what is considered “low” or “moderate” according to SilverStripe’s criteria.

B) We respectfully suggest that CVSS is adopted for the scoring of vulnerabilities.

Kind regards,

Carlos Cordero

Room9 Limited

--
You received this message because you are subscribed to a topic in the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/silverstripe-dev/0mjNBaSP8vE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to silverstripe-d...@googlegroups.com.

[Carlos Cordero]

Room9’s response to the suggestion “...that anything classified as "low" or "moderate" would not receive a pre-announce...”.

(1) In principle, we always prefer to be aware of all security related issues, not just a subset.  

(2) As you are using SilverStripe’s definition of degree’s of severity we have looked at it again and we are concerned that SilverStripe's point of view is quite different to Room9's.  Having different points of view is perfectly normal but the outcome is that we will have different priorities regarding the severity of issues.

(3) Seeing (2) is likely to be true for most of us involved in this group, Room9 would feel more comfortable with regards to the assessment of the severity of vulnerabilities if SilverStripe were to use an industry standard vulnerability scoring system such as the Common Vulnerability Scoring System (CVSS) http://www.first.org/cvss/cvss-guide.pdf and its Common Vulnerability Scoring System Version 2 Calculator http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 .  These are the systems and criteria used to score CVEs, are free to use, and require no affiliation to its governing bodies.

(4) If the use of CVSS were to be incorporated, then it would take very little additional effort for SilverStripe to be able to release CVEs.  That would put SilverStripe on a higher level for maturity and transparency and increase its appeal for large and enterprise accounts.

Conclussions:

A) We disagree with the suggestion of only pre-announcing what is considered “low” or “moderate” according to SilverStripe’s severity criteria.

B) We respectfully suggest that CVSS is adopted for the scoring of vulnerabilities.

Kind regards,

Carlos Cordero

Room9 Limited

--
You received this message because you are subscribed to a topic in the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/silverstripe-dev/0mjNBaSP8vE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to silverstripe-d...@googlegroups.com.

[Matthew Bonner]

I think having such a list is paramount, but you will have to elaborate on what criteria has to be met to be on this list as I work on Government websites here in the UK and I would like to think that even though I haven't made any pull requests I am not excluded from receiving notifications because we have a procedure we have to adhere to in order to do emergency releases, which includes patching the code, getting it tested independently, then getting the client approval, then the head of business change has to approve the release, then we have to go to the council offices and put the change live. So the sooner we know the better in my view, and I'd be keen to know what the criteria is for being kept informed.