This document defines a set of rules and policies established by FINOS to manage the lifecycle of potential vulnerabilities and security incidents within FINOS projects, aimed to guarantee...
- Discretion for new and ongoing development activity around security vulnerabilities that haven't been published yet
- Transparency and guidance around security vulnerabilities that have been identified, patched and released as new versions
It includes step-by-step guides on how contributors can setup a process to manage security vulnerabilities and how anyone can privately submit an undisclosed security vulnerability to a FINOS project.
Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures (or CVE) is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures, although the term is normally used to identify CVE entries; each entry is comprised of an identification number, a description, and at least one public reference, you can check an example on the cla-bot project. Please note that the term security vulnerability also comprises undisclosed ones, as opposed to CVEs, which only refer to publicly disclosed entries.
For FINOS Open Source Consumers
An overview of the vulnerability handling process is:
The reporter reports the vulnerability privately to a FINOS PMC.
The appropriate project's team members works privately with the reporter to resolve the vulnerability.
A new release of the FINOS product concerned is made that includes the fix.
The vulnerability is publicly announced.
Browse security vulnerabilities for a project and release
Security vulnerabilities are published as GitHub Issues marked with the label
security vulnerability. You can easily browse through the
closed ones using the GitHub web UI.
Submit a new security vulnerability
To submit a new vulnerability, please follow these steps:
- Identify the FINOS Project (project) related to the security vulnerability.
- Identify the FINOS Program (program) related to the project.
- Identify the private PMC email address from this list ; if you cannot find it, please use firstname.lastname@example.org
- Email the PMC privately with the description - and screenshots, if useful - of the vulnerability.