Update CVE request process for MITRE's Web form

As MITRE is no longer accepting CVE requests via E-mail, switch to
using their Web form. This also makes using a separate CNA for
embargoed CVE requests mostly irrelevant, so use basically the same
process for both private and public reports.

Change-Id: I557cd75f883b3a2cf6f33009990a414aeb105664
This commit is contained in:
Jeremy Stanley 2017-05-03 18:36:56 +00:00
parent aaf503aec8
commit 2c546e256d
1 changed files with 47 additions and 8 deletions

View File

@ -140,18 +140,49 @@ The description is validated by the reporter and the PTL.
Send CVE request
^^^^^^^^^^^^^^^^
To ensure full traceability, we get a CVE assigned before the issue
is communicated to a larger public. This is generally done as the
patch gets nearer to final approval. The ossa bugtask status is set
to *In progress* and the approved description is sent to a CNA in
an encrypted+signed email in order to get a CVE assigned. If the
issue is already public, the CVE request should be sent to the
oss-security list instead, including links to public bugs.
To ensure full traceability, we attempt to obtain a CVE assignment
before the issue is communicated to a larger public. This is
generally done as the patch gets nearer to final approval. The ossa
bugtask status is set to *In progress* and the approved impact
description is submitted through `MITRE's CVE Request form`_. The
*request type* is ``Request a CVE ID``, the *e-mail address* should
be that of the requester (generally the assigned VMT coordinator in
the case of reports officially managed by the VMT), and for
embargoed reports the coordinator's OpenPGP key should be pasted
into the field provided.
In the *required* section set the checkboxes indicating the product
is not CNA-covered and that no prior CVE ID has been assigned,
select an appropriate *vulnerability type* (using ``Other or
Unknown`` to enter a freeform type if there is nothing relevant on
the drop-down), set the *vendor* to ``OpenStack``, and the *product*
and *version* fields to match the ``$PROJECTS`` and
``$AFFECTED_VERSIONS`` from the impact description. In the
*optional* section set the radio button for *confirmed/acknowledged*
to ``Yes``, choose an appropriate *attack type* in the drop-down
(often this is ``Context-dependent`` for our cases), check the
relevant *impact* checkboxes, attempt to fill in the *affected
components* and *attack vector* fields if possible, paste in the
*suggested description* from the prose of the impact description
(usually omitting the first sentence as it's redundant with other
fields), put the ``$CREDIT`` details in the *discoverer/credits*
field, and the bug URL (along with Gerrit URLs for patches if
already public) in the *references* field. If the report is still
private, note that in the *additional information* field like ``This
report is currently under embargo and no disclosure date has been
scheduled at this time.``
At the bottom of the page, fill in the *security code* and click the
*submit request* button. If some fields contain invalid data they
will be highlighted red; correct these, update the *security code*
and *submit request* again until you get a confirmation page.
.. _MITRE's CVE Request form: https://cveform.mitre.org/
Get assigned CVE
^^^^^^^^^^^^^^^^
The CNA returns the assigned CVE. It is added to the Launchpad bug
MITRE returns the assigned CVE. It is added to the Launchpad bug
(see "link to CVE" at the top-right), and the bug is retitled to
"$TITLE ($CVE)".
@ -189,6 +220,14 @@ on master and supported stable branches, fast-track approvals
Embargo reminder can be removed at that point.
`MITRE's CVE Request form`_ should be used again at this point, but
instead select a *request type* of ``Notify CVE about a
publication`` and fill in the coordinator's *e-mail address*,
provide a *link to the advisory* (the URL to it on
https://security.openstack.org/ if this was an official OSSA), the
*CVE IDs* covered, and the *date published*. Once more, fill in the
*security code* at the bottom of the page and *submit request*.
Publish OSSA
^^^^^^^^^^^^