[
https://issues.apache.org/jira/browse/HADOOP-19925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091128#comment-18091128
]
ASF GitHub Bot commented on HADOOP-19925:
-----------------------------------------
steveloughran commented on PR #8562:
URL: https://github.com/apache/hadoop/pull/8562#issuecomment-4787778175
looking at interesting third party disclosure docs to see what can be
lifted
https://github.com/curl/curl/blob/master/docs/VULN-DISCLOSURE-POLICY.md
I like how the introduction must be human generated text.
I think we should add memory and thread leaks to special topics (or other
resource consumption)
- those which hurt long-running processes: bugs
- resource consumption on services which could be initiated by a lower
privileged remote caller and grow rapidly shall be considered CVEs
Also
- Native code?
- tls/openssl algorithms "out of scope as third party lib)
Client side resilience to malicious services
- clients are expected to be well configured (need to call this out) to talk
to correct service endpoints, including any web proxies. Lack of resilience to
malformed responses SHALL be considered bugs, not CVEs. + Mention how this
applies to cloud storage services, ftp, http urls too.
## test code
Bugs except when secrets are logged or if it is possible for malicious code
to be executed in CI/CD workflows.
## handling workflow
+ define the handling process, including links to asf workflow
- Support calls: reject
- ai reports: AI triage before human review/reject.
- human reports: human + AI triage
Downgrade to bug
- invite submitter to provide pr, create issue, etc, if it is simple
- complex bugs, expect dev team work
- bugs get attention with all other work.
- fix on trunk, backport to supported if not too hard
Accepted vulnerability
- asf process
CVE scoring: explain why more ruthless than AI. Recognise desire for
recognition but that if we don't consider it that important in a well
configured production system, it gets a low score. Especially
- never web/internet facing
- logs SHOULD be kept private
- well configured requirement
> Create a SECURITY.md file to define the security model for the AI tools
> -----------------------------------------------------------------------
>
> Key: HADOOP-19925
> URL: https://issues.apache.org/jira/browse/HADOOP-19925
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.6.0
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Major
> Labels: pull-request-available
>
> Write a SECURITY.md file to scope AI generated security reports to sensible
> deployments, and also for humans. Base off best work of other projects.
> - explain deployments and their security boundaries (dev, kerberos, isolated
> cloud)
> - only accept security issues against kerberos
> - anything which doesn't lead to privilege escalation is a bug
> - anything which hurts perf is just a bug
> - we expect site config to be valid. If that can be manipulated, game over.
> - job submission is remote code execution so no, you don't get a CVE for that
> I will include dev and CI as targets of attacks and that we do care here.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
