Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 6B774200C0A for ; Sat, 28 Jan 2017 17:36:45 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 6A285160B33; Sat, 28 Jan 2017 16:36:45 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 64472160B5F for ; Sat, 28 Jan 2017 17:36:44 +0100 (CET) Received: (qmail 25229 invoked by uid 500); 28 Jan 2017 16:36:38 -0000 Mailing-List: contact commits-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list commits@cloudstack.apache.org Received: (qmail 24948 invoked by uid 99); 28 Jan 2017 16:36:38 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 28 Jan 2017 16:36:38 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 16B73DFC47; Sat, 28 Jan 2017 16:36:38 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: swill@apache.org To: commits@cloudstack.apache.org Date: Sat, 28 Jan 2017 16:36:40 -0000 Message-Id: <5ad839cb00894544995975932deeb90e@git.apache.org> In-Reply-To: <71e9b1bb02dd47b0aade9303b62e6eda@git.apache.org> References: <71e9b1bb02dd47b0aade9303b62e6eda@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [4/5] cloudstack-www git commit: fixed some malformed html which was causing the security page to render incorrectly archived-at: Sat, 28 Jan 2017 16:36:45 -0000 fixed some malformed html which was causing the security page to render incorrectly Project: http://git-wip-us.apache.org/repos/asf/cloudstack-www/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack-www/commit/ff1b584f Tree: http://git-wip-us.apache.org/repos/asf/cloudstack-www/tree/ff1b584f Diff: http://git-wip-us.apache.org/repos/asf/cloudstack-www/diff/ff1b584f Branch: refs/heads/asf-site Commit: ff1b584f3cd721eebd33db17ae79631a0b768e18 Parents: e5c333e Author: Will Stevens Authored: Fri Jan 27 16:19:11 2017 -0500 Committer: Will Stevens Committed: Fri Jan 27 16:19:11 2017 -0500 ---------------------------------------------------------------------- content/security.html | 61 ++++++++++++++++++++++--------------------- source/security.markdown | 48 ++++++++++++++++++---------------- 2 files changed, 56 insertions(+), 53 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack-www/blob/ff1b584f/content/security.html ---------------------------------------------------------------------- diff --git a/content/security.html b/content/security.html index a795052..4dde34a 100644 --- a/content/security.html +++ b/content/security.html @@ -162,38 +162,39 @@

Procedure for Responding to Potential Security Issues

Upon receiving notice of a potential security issue, a security team member will create a bug to track the investigation, this bug must be flagged as a security issue. Security flag should mean contents of ticket are not visible to non-security team members -
Security team investigates the issue to confirm/deny the presence of a vulnerability within CloudStack -
If the issue is determined not to be a vulnerability the reporter will be notified and the issue will be closed as invalid -
If issue is confirmed as a CloudStack vulnerability: -
- Security team notifies the Apache Security team -
- Security team assigns a risk rating to the vulnerability using the Common Vulnerability Scoring System -
- Security team works with reporter to get a chance to investigate and mitigate the issue in a timely manner before public announcement. This should be between 15-30 days, depending on the severity and complexity of the issue -
- Security team works with Apache Security Team to reserve a CVE Identifier for future public release -
- Security team works with appropriate code maintainer(s) to create patch to mitigate the issue -
- Testing is conducted to verify patch mitigates issue and does not cause regression errors -
- Security team creates a vulnerability announcement -
- Patch is committed to trunk and other supported branches that are affected. The commit should not refer to a particular vulnerability -
- A new CloudStack release or hotfix is prepared and tested, containing the new security patch -
- Distributor coordination is implemented to enable a coordinated announcement -
- Security team posts vulnerability announcement to... +
- Upon receiving notice of a potential security issue, a security team member will create a bug to track the investigation, this bug must be flagged as a security issue. Security flag should mean contents of ticket are not visible to non-security team members
- Security team investigates the issue to confirm/deny the presence of a vulnerability within CloudStack
- If the issue is determined not to be a vulnerability the reporter will be notified and the issue will be closed as invalid
- If issue is confirmed as a CloudStack vulnerability:
  - CloudStack dev list -
  - CloudStack users list -
  - The Bugtraq mailing list - </ul> -
  - After announcement, CHANGES and NEWS files need to be updated to reflect the vulnerability and fix. This must happen AFTER the announcement. -
  - Also after announcement, modify the Jira ticket so that the issue is now publicly viewable. - </ul> -
  - After the vulnerability is addressed, the CloudStack community should review development processes to see how the community can minimize the chance of similar vulnerabilities being introduced in the future. -</ul> +
  - Security team notifies the Apache Security team
  - Security team assigns a risk rating to the vulnerability using the Common Vulnerability Scoring System
  - Security team works with reporter to get a chance to investigate and mitigate the issue in a timely manner before public announcement. This should be between 15-30 days, depending on the severity and complexity of the issue
  - Security team works with Apache Security Team to reserve a CVE Identifier for future public release
  - Security team works with appropriate code maintainer(s) to create patch to mitigate the issue
  - Testing is conducted to verify patch mitigates issue and does not cause regression errors
  - Security team creates a vulnerability announcement
  - Patch is committed to trunk and other supported branches that are affected. The commit should not refer to a particular vulnerability
  - A new CloudStack release or hotfix is prepared and tested, containing the new security patch
  - Distributor coordination is implemented to enable a coordinated announcement
  - Security team posts vulnerability announcement to... +
    - CloudStack dev list
    - CloudStack users list
    - The Bugtraq mailing list
    +
  - After announcement, CHANGES and NEWS files need to be updated to reflect the vulnerability and fix. This must happen AFTER the announcement.
  - Also after announcement, modify the Jira ticket so that the issue is now publicly viewable.
  +
- After the vulnerability is addressed, the CloudStack community should review development processes to see how the community can minimize the chance of similar vulnerabilities being introduced in the future.
+ +
For further information
+ +
Further information about Apache CloudStack's security practices can be found in the CloudStack Security wiki page.
-## For further information - -Further information about Apache CloudStack's security practices can be found in the [CloudStack Security wiki page](https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+Security). - -

Procedure for Responding to Potential Security Issues

For further information