0
0
mirror of https://github.com/nodejs/node.git synced 2024-11-29 23:16:30 +01:00
nodejs/doc/guides/cve_management_process.md

138 lines
5.8 KiB
Markdown
Raw Normal View History

# Node.js CVE management process
The Node.js project acts as a [Common Vulnerabilities and Exposures (CVE)
Numbering Authority (CNA)](https://cve.mitre.org/cve/cna.html).
The current scope is for all actively developed versions of software
developed under the Node.js project (ie. https://github.com/nodejs).
This means that the Node.js team reviews CVE requests and if appropriate
assigns CVE numbers to vulnerabilities. The scope currently **does not**
include third party modules.
More detailed information about the CNA program is available in
[CNA_Rules_v1.1](https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf).
## Contacts
As part of the CNA program the Node.js team must provide a number
of contact points. Email aliases have been setup for these as follows:
* **Public contact points**. Email address to which people will be directed
by Mitre when they are asked for a way to contact the Node.js team about
CVE-related issues. **cve-request@iojs.org**
* **Private contact points**. Administrative contacts that Mitre can reach out
to directly in case there are issues that require immediate attention.
**cve-mitre-contact@iojs.org**
* **Email addresses to add to the CNA email discussion list**. This address has
been added to a closed mailing list that is used for announcements,
sharing documents, or discussion relevant to the CNA community.
The list rarely has more than ten messages a week.
**cna-discussion-list@iojs.org**
## CNA management processes
### CVE Block management
The CNA program allows the Node.js team to request a block of CVEs in
advance. These CVEs are managed in a repository within the Node.js
private organization called
[cve-management](https://github.com/nodejs-private/cve-management).
For each year there will be a markdown file titled "cve-management-XXXX"
where XXXX is the year (for example 'cve-management-2017.md').
This file will have the following sections:
* Available
* Pending
* Announced
When a new block of CVEs is received from Mitre they will be listed under
the `Available` section.
These CVEs will be moved from the Available to Pending and Announced
as outlined in the section titled `CVE Management process`.
In addition, when moving a CVE from Available such that there are less
than two remaining CVEs a new block must be requested as follows:
* Use the Mitre request form https://cveform.mitre.org/ with the
option `Request a Block of IDs` to request a new block.
* The new block will be sent to the requester through email.
* Once the new block has been received, the requester will add them
to the Available list.
All changes to the files for managing CVEs in a given year will
be done through Pull Requests so that we have a record of how
the CVEs have been assigned.
CVEs are only valid for a specific year. At the beginning of each
year the old CVEs should be removed from the list. A new block
of CVEs should then be requested using the steps listed above.
### External CVE request process
When a request for a CVE is received via the cve-request@iojs.org
email alias the following process will be followed (likely updated
after we get HackerOne up and running).
* Respond to the requester indicating that we have the request
and will review soon.
* Open an issue in the security repo for the request.
* Review the request.
* If a CVE is appropriate then assign the
CVE as outline in the section titled
[CVE Management process for Node.js vulnerabilities](#cve-management-process-for-nodejs-vulnerabilities)
and return the CVE number to the requester (along with the request
to keep it confidential until the vulnerability is announced)
* If a CVE is not appropriate then respond to the requester
with the details as to why.
### Quarterly reporting
* There is a requirement for quarterly reports to Mitre on CVE
activity. Not sure of the specific requirements yet. Will
add details on process once we've done the first one.
## CVE Management process for Node.js vulnerabilities
When the Node.js team is going announce a new vulnerability the
following steps are used to assign, announce and report a CVE.
* Select the next CVE in the block available from the CNA process as
outlined in the section above.
* Move the CVE from the unassigned block, to the Pending section along
with a link to the issue in the security repo that is being used
to discuss the vulnerability.
* As part of the
[security announcement process](https://github.com/nodejs/security-wg/blob/master/processes/security_annoucement_process.md),
in the security issue being used to discuss the
vulnerability, associate the CVE to that vulnerability. This is most
commonly done by including it in the draft for the announcement that
will go out once the associated security releases are available.
* Once the security announcement goes out:
* Use the [Mitre form](https://cveform.mitre.org/) to report the
CVE details to Mitre using the `Notify CVE about a publication`. The
link to the advisory will be the for the blog announcing that security
releases are available. The description should be a subset of the
details in that blog.
Ensure that the contact address entered in the form is
`cve-mitre-contact@iojs.org`. Anything else may require slow, manual
verification of the identity of the CVE submitter.
For each CVE listed, the additional data must include the following fields
updated with appropriate data for the CVE
```text
[CVEID]: CVE-XXXX-XXXX
[PRODUCT]: Node.js
[VERSION]: 8.x+, 9.x+, 10.x+
[PROBLEMTYPE]: Denial of Service
[REFERENCES]: Link to the blog for the final announce
[DESCRIPTION]: Description from final announce
[ASSIGNINGCNA]: Node.js Foundation
```
* Move the CVE from the Pending section to the Announced section along
with a link to the Node.js blog post announcing that releases
are available.