Thanks for bringing this up, Dian. +1 on creating a project specific security mailing list. My two cents, I think it is worth doing in practice.
Although the ASF security ML is always available, usually all the emails are simply routed to the individual project PMC. This is an additional hop. And in some cases, the best person to address the reported issue may not be a PMC member, but a committer, so the PMC have to again involve them into the loop. This make things unnecessarily complicated. Having a project specific security ML would make it much easier to have everyone at the same table. Also, one thing to note is that even though the security issues are usually rare, they could be devastating, thus need to be treated seriously. So I think it is a good idea to establish the handling mechanism regardless of the frequency of the reported security vulnerabilities. Thanks, Jiangjie (Becket) Qin On Fri, Nov 15, 2019 at 1:14 AM Yu Li <car...@gmail.com> wrote: > Thanks for bringing up this discussion Dian! How to report security bugs to > our project is a very important topic! > > Big +1 on adding some explicit instructions in our document about how to > report security issues, and I suggest to open another thread to vote the > reporting way in Flink. > > FWIW, known options to report security issues include: > 1. Set up secur...@flink.apache.org and ask users to report security > issues > there > 2. Ask users to send security report to secur...@apache.org > 3. Ask users to send security report directly to priv...@flink.apache.org > > More details: > > Descriptions on http://apache.org/security/: > *============================================* > > *We strongly encourage folks to report security vulnerabilities to one of > our private security mailing lists first, before disclosing them in a > public forum.* > > *A list of security contacts for Apache projects > <http://apache.org/security/projects.html> is available. If you can't find > a project specific security e-mail address and you have an undisclosed > security vulnerability to report then please use the general security > address below.* > > > *The general security mailing list address is: secur...@apache.org > <secur...@apache.org>. This is a private mailing list.* > *============================================* > > There are also projects directly using private@ mailing list to report > security issues such as HBase (as documented at the very beginning in its > online ref-guide book here <http://hbase.apache.org/book.html#_preface>). > > Hope these information helps. Thanks. > > Best Regards, > Yu > > > On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <ches...@apache.org> wrote: > > > Source: https://www.apache.org/security/ > > > > Now, we can of course setup such a mailing list (as outlined here > > https://www.apache.org/security/committers.html), but I'm not sure if it > > is necessary since the number of reports is _really_ low. > > > > On 14/11/2019 11:03, Chesnay Schepler wrote: > > > AFAIK, the official way to report vulnerabilities in any apache > > > project is to write to secur...@apache.org and/or notify the > > > respective PMC. So far, we had several reports that went this route, > > > hence I'm not convinced that an additional ML is required. > > > > > > I would be fine with an additional paragraph somewhere outlining this > > > though. > > > > > > On 14/11/2019 06:57, Jark Wu wrote: > > >> Hi Dian, > > >> > > >> Good idea and +1 to setup security mailing list. > > >> Security vulnerabilities should not be publicly disclosed (e.g. via > > >> dev ML > > >> or JIRA) until the project has responded. > > >> However, AFAIK, Flink doesn't have an official process to > > >> report vulnerabilities. > > >> It would be nice to have one to protect Flink users and response > > >> security > > >> problems quickly. > > >> > > >> Btw, we may also need a dedicated page to describe the security > > >> vulnerabilities report process and CVE list on the website. > > >> > > >> Best, > > >> Jark > > >> > > >> > > >> > > >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <chenghe...@gmail.com> > wrote: > > >> > > >>> Hi Dian, > > >>> > > >>> Good idea! +1 to have a security mailing list. > > >>> It is nice for Flink to have an official procedure to handle security > > >>> problems, e.g., reporting, addressing and publishing. > > >>> > > >>> Best, Hequn > > >>> > > >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <zjf...@gmail.com> wrote: > > >>> > > >>>> Thanks Dian Fu for this proposal. +1 for creating security mail > > >>>> list. To > > >>> be > > >>>> noticed, security mail list is private mail list, could not be > > >>>> subscribed > > >>>> publicly. > > >>>> FYI, apache member can create mail list using this self service tool > > >>>> https://selfserve.apache.org/ > > >>>> > > >>>> > > >>>> jincheng sun <sunjincheng...@gmail.com> 于2019年11月14日周四 > > >>>> 下午12:25写道: > > >>>> > > >>>>> Hi Dian, > > >>>>> > > >>>>> Thanks a lot for bringing up this discussion. This is very > important > > >>> for > > >>>>> Flink community! > > >>>>> > > >>>>> I think setup a security mailing list for Flink is pretty nice > > >>> although ` > > >>>>> secur...@apache.org` can be used and the report will be forwarded > to > > >>>> Flink > > >>>>> private mailing list if there is no project specific security > mailing > > >>>>> list. One thing that is pretty sure is that we should guide users > on > > >>> how > > >>>> to > > >>>>> report security issues in Flink website as security vulnerabilities > > >>>> should > > >>>>> not be entered into a project's public bug tracker directly > according > > >>> to > > >>>>> the guidance for how to handling the security vulnerabilities in > ASF > > >>>>> site[1]. > > >>>>> > > >>>>> Besides, we need also add a security page in Flink which shows the > > >>>>> information about the security vulnerabilities per the guidance of > > >>>>> the > > >>>>> security vulnerabilities in ASF site[2]. Projects such as spark[3], > > >>>>> kafka[4], etc already have such a page. > > >>>>> > > >>>>> Best,Jincheng > > >>>>> > > >>>>> [1] > > >>>> > > https://www.apache.org/security/committers.html#vulnerability-handling > > >>>>> [2] > > >>>> > > https://www.apache.org/security/committers.html#publishing-information > > >>>>> [3] https://spark.apache.org/security.html > > >>>>> [4] https://kafka.apache.org/cve-list > > >>>>> > > >>>>> Dian Fu <dian0511...@gmail.com> 于2019年11月14日周四 下午12:12写道: > > >>>>> > > >>>>>> Hi all, > > >>>>>> > > >>>>>> I'm reaching out to see if there is an existing security specific > > >>>> mailing > > >>>>>> list in Flink. If there is, we should expose it in the offcial web > > >>> site > > >>>>> of > > >>>>>> Flink [1] to guide people to report security issues to this > mailing > > >>>> list. > > >>>>>> If it still doesn't exist, I'm here to propose to setup a > > >>>>>> secur...@flink.apache.org mailing list for reporting and > discussion > > >>> of > > >>>>>> security specific issues. Currently, most well known apache > projects > > >>>> such > > >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc > > >>> have a > > >>>>>> security specific mailing list. It would be nice if there is also > a > > >>>>>> security specific mailing list for Flink. > > >>>>>> > > >>>>>> Note that users should report security issues to the security > > >>>>>> mailing > > >>>>>> list. > > >>>>>> > > >>>>>> Looking forward to your feedback! > > >>>>>> > > >>>>>> Regards, > > >>>>>> Dian > > >>>>>> > > >>>>>> [1] https://flink.apache.org/community.html > > >>>>>> [2] https://commons.apache.org/mail-lists.html > > >>>>>> [3] https://hadoop.apache.org/mailing_lists.html > > >>>>>> [4] https://spark.apache.org/community.html > > >>>>>> [5] https://kafka.apache.org/project-security.html > > >>>>>> [6] https://hive.apache.org/mailing_lists.html > > >>>> > > >>>> -- > > >>>> Best Regards > > >>>> > > >>>> Jeff Zhang > > >>>> > > > > > > > > > > >
