Vulnerability report process

gerwin.klein · June 10, 2021, 11:08pm

Also, and not only, for the Best Practice badge, we should set up an official vulnerability report process for seL4.

So far, this has simply been by email to one fo the developers. That doesn’t necessarily have to change much, but it needs to be documented.

I propose to set up an email alias that goes to the subset of the technical steering committee that volunteers to be a point of contact for these. We should set up optional encryption for this for people who want to use it.

Any report should get a response within 14 days, and depending on what it is will either go to the bug tracker to be resolved or documented if it can’t/shouldn’t be resolved (e.g. things like Rowhammer), or, if it is for some reason sensitive, will be handled privately with the reporter until it can be made public.

Any thoughts/feedback?

ps: for those who are wondering, why can there be vulnerabilities in verified seL4? Because there are assumptions about the hardware that can be broken, like in Rowhammer, or not used correctly, such as making a mistake with cache coherency, and because there are unverified configurations of seL4 that can have bugs. People often would still like to deploy unverified configurations in systems, and we want to support that with at least the same level of confidence you can have in other well-engineered software.

anna.lyons · June 11, 2021, 12:15am

Is this going to be for vulnerabilities in all our repos? Or just the seL4 main repo? We should be very clear as to which repos it applies to.

gerwin.klein · June 11, 2021, 12:35am

Good question. I was initially thinking about seL4 only, but maybe we should include at least the versioned core repos in the reporting process as well, e.g. capDL and CAmkES. Open to suggestions, though.

(We’re not committing to fixing everything, just to documenting/reacting).

mbrcknl · June 11, 2021, 5:54am

Would some kind of “responsible disclosure” process be appropriate? I.e. ask the reporter to keep the report private for a period (90 days or as agreed) to allow remediation, and in return promise to make a good faith effort to remediate within that time frame, and also to give credit.

I guess we’re not in a position to offer bug bounties.

I could try to draft something along those line, and also tries to characterise what kinds of vulnerabilities it would apply to.

gerwin.klein · June 11, 2021, 8:52am

Yes, that sounds like a very good idea.

Not currently, no

That would be awesome!

mbrcknl · June 29, 2021, 12:20pm

I posted an initial proposal in this pull request:

github.com/seL4/seL4

meta: add vulnerability disclosure policy

seL4:master ← mbrcknl:vulnerability-disclosure-policy

opened 11:45AM - 29 Jun 21 UTC

mbrcknl

+95 -0

This adds a simple vulnerability disclosure policy, loosely based on: - Disclos…e.io materials. - The OWASP Vulnerability Disclosure Cheat Sheet. I didn't include the typical safe harbour provisions, since I guess that might need legal advice and/or board approval. Once we agree on the content, I'll make similar pull requests in whichever other repositories we want this to cover.

gerwin.klein · July 1, 2021, 12:14am

Now merged. Thanks for the help, Matt, I’m very happy with the result!

Topic		Replies	Views
Testing infrastructure seL4 kernel	29	731	March 12, 2021
Static analysis for seL4	1	242	June 11, 2021
Experimental project on seL4 microbenchmarking	0	181	November 19, 2022
Welcome to the SIG on seL4 multi-core & user-level verification SIG Multicore & User-Level Verification	0	199	March 31, 2023
Verification process in a commercial project Verification	0	104	September 18, 2023

Vulnerability report process

Related Topics