Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OQS security response process #124

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

OQS security response process #124

wants to merge 18 commits into from
+429 −0

Conversation

SWilson4
Copy link
Member

@SWilson4 SWilson4 commented Jan 3, 2025

This PR proposes a security response process for OQS. Please read it over and provide feedback. I expect it will undergo a fair bit of revision, but hopefully this gives us a starting point.

I have left a number of comments requesting feedback on specific points throughout the document. These are clearly marked by COMMENT. I'll keep the PR in draft until all of these are removed.

Closes #60.

@SWilson4 SWilson4 force-pushed the sw-security-processes branch from ffad71c to 746fb6e Compare January 3, 2025 16:48
@SWilson4 SWilson4 mentioned this pull request Jan 3, 2025
Open
SWilson4 and others added 2 commits January 3, 2025 16:12
@SWilson4 @dstebila
Fix typo
1085561 
Co-authored-by: Douglas Stebila <[email protected]>
Signed-off-by: Spencer Wilson <[email protected]>
@SWilson4
Remove comment
feed462 
Signed-off-by: Spencer Wilson <[email protected]>
bhess
bhess reviewed Jan 13, 2025
View reviewed changes
@SWilson4
Remove comments
72fd11e 
Signed-off-by: Spencer Wilson <[email protected]>
@baentsch baentsch mentioned this pull request Jan 23, 2025
Open
@dstebila
Copy link
Member

dstebila commented Feb 3, 2025

I think this can be marked as "Ready for review" and proceed with getting final reviews towards merging.

@SWilson4
* Remove remaining COMMENT blocks
38eba8c 
* Add security announcement mailing list

Signed-off-by: Spencer Wilson <[email protected]>
@SWilson4 SWilson4 marked this pull request as ready for review February 4, 2025 13:28
@SWilson4 SWilson4 requested a review from baentsch February 21, 2025 15:19
@SWilson4
Copy link
Member Author

@open-quantum-safe/tsc @open-quantum-safe/security-managers

I think that all discussions have now been resolved satisfactorily. Please review the latest version so we can get this merged!

baentsch
baentsch requested changes Feb 25, 2025
View reviewed changes
Copy link
Member

@baentsch baentsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See additional single comments and apologies for not wrapping them into one coherent review - I simply didn't assume there'd still be so many items in need of clarification :-(

@SWilson4
Address comments
6f9a01b 
Signed-off-by: Spencer Wilson <[email protected]>
@SWilson4
Copy link
Member Author

See additional single comments and apologies for not wrapping them into one coherent review - I simply didn't assume there'd still be so many items in need of clarification :-(

The one-liners are addressed in the latest commit; others are addressed in the relevant threads.

brian-jarvis-aws
brian-jarvis-aws reviewed Feb 25, 2025
View reviewed changes
@dstebila
Copy link
Member

I think most members of the proposed Vulnerability Management Team has commented on this, but tagging those who haven't yet commented just in case: @bhess, @praveksharma

@dstebila dstebila mentioned this pull request Feb 25, 2025
Open
bhess
bhess reviewed Feb 26, 2025
View reviewed changes
Copy link
Member

@bhess bhess left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this work @SWilson4! See the single comment inline.

@SWilson4
Copy link
Member Author

@baentsch @bhess @brian-jarvis-aws Your feedback is (hopefully) addressed in the latest commit.

@baentsch
Copy link
Member

The more I think about my recent commentary/concerns, and also taking into account security notification registrations by commercial product organizations (another one just arrived in our Inboxes), what about the proposal to ask those organizations whether they'd be willing to provide personnel for the VMT? This would make it more resilient and align OQS external and internal interests. Topic for discussion next Tuesday @dstebila ?

@dstebila
Copy link
Member

dstebila commented Mar 2, 2025

The more I think about my recent commentary/concerns, and also taking into account security notification registrations by commercial product organizations (another one just arrived in our Inboxes), what about the proposal to ask those organizations whether they'd be willing to provide personnel for the VMT? This would make it more resilient and align OQS external and internal interests. Topic for discussion next Tuesday @dstebila ?

Sure, we can send an email to the new security announcements list (once it's populated) asking for volunteers from there interested in being more active in OQS security responses. But I don't think a nything needs to change in this PR for us to do that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dstebila dstebila dstebila left review comments

@ashman-p ashman-p ashman-p left review comments

@bhess bhess bhess approved these changes

@baentsch baentsch baentsch approved these changes

@brian-jarvis-aws brian-jarvis-aws brian-jarvis-aws approved these changes

@praveksharma praveksharma Awaiting requested review from praveksharma

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Decide security (issue) report handling team and procedure
6 participants
@SWilson4 @dstebila @baentsch @bhess @ashman-p @brian-jarvis-aws