request #35827 Document vulnerability disclosure process

Artifact

Infos

Artifact ID#35827

Submitted byThomas Gerbet (tgerbet)

Last Modified On2024-03-14 11:49

Submitted on2024-01-05 09:45

Rank37413

Details

Summary *

Document vulnerability disclosure process

Original Submission

The disclosure process of Tuleap vulnerabilities is not documented, it should be.

The goals are:

to give clear expectations to security researchers / finders on what they can expect when they report a vulnerability
to make it easier for Tuleap integrators to take part of the process if needed (it can only be easier than what it is today as the whole process only really lives in my head...)
OSS part for ISO 27001 A.8.8...

Expected documents at the end of this request:

a guide describing and explaining the whole process
a runbook summarizing the process to make it easy to follow
templates to communicate with security researchers / finders and creating advisories

The security policy might also be slightly adjusted.

CategoryOther

Reported in versionEmpty

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2024-03-14

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #35499	Tuleap	Releases	15.7	Delivered	2024-28-03 10:56	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #35827

Git commit

tuleap/tuleap/stable

chore: Document vulnerability management and disclosure processes da1750171d

Thomas Gerbet (tgerbet) , 2024-03-14 09:55

doc: Add some information about the commit message content of security fixes 3e8182078a

Thomas Gerbet (tgerbet) , 2024-03-20 10:04

Show items referenced by request #35827

Referenced by request #35827

Artifact Tracker v5

rel #35499 15.7

Git commit

tuleap/tuleap/stable

chore: Document vulnerability management and disclosure processes da1750171d

Thomas Gerbet (tgerbet) , 2024-03-14 09:55

Other

Follow-ups

Manuel Vacelet (vaceletm)

2024-03-14 11:49

Connected artifacts
- Added Fixed in: rel #35499

Tracker Workflow Manager (forge__tracker_workflow_manager)

2024-03-14 11:49

Closed by @tgerbet with git #tuleap/stable/da1750171d4b6c20e998cdfd62899a0811dedd53.

Status changed from Under implementation to Closed
Close date set to 2024-03-14

Thomas Gerbet (tgerbet)

2024-03-13 17:01

See gerrit #30533