Clarify the security issue process

[jonaslagoni]

Reason/Context

With more and more tools, we increase the attack surface that might be leveraged in unintended ways. We should provide a structure where code owners and maintainers can spare and help each other solve security issues.

The current security policy we have: https://github.com/asyncapi/community/security/policy (What happens when someone sends an email to this? I have no idea 🤷). Are we using the security advisory feature on GitHub on each repository?

Description

Therefore we should provide a clear structure for everyone evolved to know the entire process. From the reporter to the one fixing the issue.

• Does it make sense to create a security advisory group that can help solve the given issues together with the maintainers?
• Does LF dictate any process we must adhere to?

[jonaslagoni]

Here is my suggestion on how we can improve the current process, and how we can make sure security is a prioritization:

I suggest we use https://docs.github.com/en/code-security/security-advisories throughout the process.

We create a security-advisories team here on GitHub which initially will have access to [email protected] (new email only related to security tips) and responsible for assessing security issues and create security advisories in the affected repositories. It is not the responsibility of the group to fix the security issues, however, it is expected that they collaborate and guide the maintainers of the affected repository.

The team should also bring awareness to more global issues or suggestions as they have the full picture of related security issues.

To create a sense of urgency, I would suggest that we give the maintainers 90 days (it seem to be the standard) to provide a fix in private, if more time passes the security audit will be made public to notify relevant stakeholders of the issue. if the issue is fixed earlier then that it is of course released ASAP.

I suggest we add the entire process to https://github.com/asyncapi/.github/blob/master/SECURITY.md as well as exposure on the website about the team its role and how to help out.

For the team itself, I suggest we start utilizing the TSC for voting purposes to select the security-advisories team members as well as changes to the process itself. The security-advisories team should probably also be affected by a code-of-conduct different from the regular one. Not sure how we should handle this yet though, any ideas? 🤔

This is just an idea from my side but could be really awesome if the group made assessments of tooling on their own periodically. I think we will have to keep the initial process and work for the group as minimal as possible and add more tasks later.

References:

• Based on Adopt Core Infrastructure Initiative Best Practices .github#38 and the 3 levels
  • Passing - https://bestpractices.coreinfrastructure.org/en/criteria/0
  • Silver - https://bestpractices.coreinfrastructure.org/en/criteria/1
  • Gold - https://bestpractices.coreinfrastructure.org/en/criteria/2

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴
It will be closed in 60 days if no further activity occurs. To unstale this issue, add a comment with detailed explanation.
Thank you for your contributions ❤️

[jonaslagoni]

@derberg any process in terms of the TSC progress to enable the vote on this?

[derberg]

no progress yet, might be that AsyncAPI conference setup will speed up cleanup here and maintenance of TSC members list

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

[derberg]

@jonaslagoni voting is possible now, in case you want to continue working on this one

[jonaslagoni]

I don't have the bandwidth to solo take this on at the moment and it's not that pressing to prioritize it at the moment. Maybe next year for me.

If others want to take it up, feel free 👍

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

[derberg]

I was wondering if there are maybe some foundations or other organizations that sponsor security related improvements in open source 🤔

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

[derberg]

Let's keep it open, so we get reminded. I'm exploring options for more funding and how we could hire more people by the initiative to own such topics