From 542ba7f209434d2321e2426a797646848e0816ac Mon Sep 17 00:00:00 2001 From: Artur Souza Date: Mon, 17 Jun 2024 15:05:46 -0700 Subject: [PATCH 01/17] Update Reporting security issues Signed-off-by: Artur Souza --- .../support/support-security-issues.md | 66 +++++++++++++++++-- 1 file changed, 62 insertions(+), 4 deletions(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index c33ce0b16..308e91c27 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -6,10 +6,68 @@ weight: 3000 description: "How to report a security concern or vulnerability to the Dapr maintainers." --- -The Dapr organization and team makes security a central focus of how we operate and design our software. From the Dapr binaries to the GitHub release processes, we take numerous steps to ensure user applications and data is secure. For more information visit the [security page]({{< ref security-concept.md >}}). +The Dapr project and maintainers make security a central focus of how we operate and design our software. From the Dapr binaries to the GitHub release processes, we take numerous steps to ensure user applications and data is secure. For more information on how security is built-in to Dapr, visit the [security page]({{< ref security-concept.md >}}). -## Reporting security issues +## Covered Repositories and Issues -To report a security issue, please privately email the [Dapr Maintainers (dapr@dapr.io)](mailto:dapr@dapr.io?subject=[Security%20Disclosure]:%20ISSUE%20TITLE) +When we say "a security vulnerability in Dapr" we mean a security issue +in any repository under the [dapr GitHub organization](https://github.com/dapr/). -The Dapr maintainers will triage and respond ASAP and then patch and send an announcement within 30 days. +This reporting process is intended only for security issues in the Dapr +project itself, and doesn't apply to applications _using_ Dapr or to +issues which do not affect security. + +If the issue cannot be fixed by a change to one of the covered +repositories above, then it recommended to create a GitHub issue in the appropriate repo or a question in Discord. + +All that said, **if you're unsure** please reach out using this process before +raising your issue through another channel. We'd rather err on the side of +caution! + +### Explicitly Not Covered: Vulnerability Scanner Reports + +We do not accept reports which amount to copy and pasted output from a vulnerability +scanning tool **unless** work has specifically been done to confirm that a vulnerability +reported by the tool _actually exists_ in Dapr, including CLI, SDKs, components-contrib +or any other repo under the Dapr org. + +We make use of these tools ourselves and try to act on the output they produce; they +can be useful! We tend to find, however, that when these reports are sent to our security +mailing list they almost always represent false positives, since these tools tend to check +for the presence of a library without considering how the library is used in context. + +If we receive a report which seems to simply be a vulnerability list from a scanner we +reserve the right to ignore it. + +This applies especially when tools produce vulnerability identifiers which are not publicly +visible or which are proprietary in some way. We can look up CVEs or other publicly-available +identifiers for further details, but cannot do the same for proprietary identifiers. + +## Security Contacts + +The people who should have access to read your security report are listed in [`maintainers.csv`](/maintainers.csv). + +## Reporting Process + +1. Describe the issue in English, ideally with some example configuration or + code which allows the issue to be reproduced. Explain why you believe this + to be a security issue in Dapr, if that's not obvious. +2. Put that information into an email. Use a descriptive title. +3. Send the email to [Dapr Maintainers (dapr@dapr.io)](mailto:dapr@dapr.io?subject=[Security%20Disclosure]:%20ISSUE%20TITLE) + +## Response + +Response times could be affected by weekends, holidays, breaks or time zone +differences. That said, the maintainers team will endeavour to reply as +soon as possible, ideally within 3 working days. + +If the team concludes that the reported issue is indeed a security +vulnerability in a Dapr project, at least two members of the maintainers +team will discuss the next steps together as soon as possible, ideally +within 24 hours. + +As soon as the team decides that the report is of a genuine vulnerability, +one of the team will respond to the reporter acknowledging the issue and +establishing a disclosure timeline, which should be as soon as possible. + +Triage, response, patching and announcement should all happen within 30 days. From 71b8ffbe685d6b8c265d29dbb09205a9c9d2231c Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:00:26 -0700 Subject: [PATCH 02/17] Update daprdocs/content/en/operations/support/support-security-issues.md Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index 308e91c27..cec96a908 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -6,7 +6,7 @@ weight: 3000 description: "How to report a security concern or vulnerability to the Dapr maintainers." --- -The Dapr project and maintainers make security a central focus of how we operate and design our software. From the Dapr binaries to the GitHub release processes, we take numerous steps to ensure user applications and data is secure. For more information on how security is built-in to Dapr, visit the [security page]({{< ref security-concept.md >}}). +The Dapr project and maintainers make security a central focus of how we operate and design our software. From the Dapr binaries to the GitHub release processes, we take numerous steps to ensure user applications and data is secure. For more information on Dapr security features, visit the [security page]({{< ref security-concept.md >}}). ## Covered Repositories and Issues From 52fd9d77d7ea630d2b3cb87b6958e86241fb317a Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:00:38 -0700 Subject: [PATCH 03/17] Update daprdocs/content/en/operations/support/support-security-issues.md Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index cec96a908..47db7169b 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -10,7 +10,7 @@ The Dapr project and maintainers make security a central focus of how we operate ## Covered Repositories and Issues -When we say "a security vulnerability in Dapr" we mean a security issue +When we say "a security vulnerability in Dapr", this means a security issue in any repository under the [dapr GitHub organization](https://github.com/dapr/). This reporting process is intended only for security issues in the Dapr From fc2471267547488c83e0ac37c2dc6521adb9054b Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:00:56 -0700 Subject: [PATCH 04/17] Update daprdocs/content/en/operations/support/support-security-issues.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index 47db7169b..e69db4f90 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -18,7 +18,7 @@ project itself, and doesn't apply to applications _using_ Dapr or to issues which do not affect security. If the issue cannot be fixed by a change to one of the covered -repositories above, then it recommended to create a GitHub issue in the appropriate repo or a question in Discord. +repositories above, then it's recommended to create a GitHub issue in the appropriate repo or raise a question in Discord. All that said, **if you're unsure** please reach out using this process before raising your issue through another channel. We'd rather err on the side of From 8e210f104666e448b9edac71dcfbcad618c62b45 Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:01:07 -0700 Subject: [PATCH 05/17] Update daprdocs/content/en/operations/support/support-security-issues.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index e69db4f90..9b2402582 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -21,7 +21,7 @@ If the issue cannot be fixed by a change to one of the covered repositories above, then it's recommended to create a GitHub issue in the appropriate repo or raise a question in Discord. All that said, **if you're unsure** please reach out using this process before -raising your issue through another channel. We'd rather err on the side of +raising your issue through GitHub, Discord, or another channel. caution! ### Explicitly Not Covered: Vulnerability Scanner Reports From 3489fa394adc11102b8680757ab1179b5f76bc6f Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:01:20 -0700 Subject: [PATCH 06/17] Update daprdocs/content/en/operations/support/support-security-issues.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index 9b2402582..22e3f7165 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -28,7 +28,7 @@ caution! We do not accept reports which amount to copy and pasted output from a vulnerability scanning tool **unless** work has specifically been done to confirm that a vulnerability -reported by the tool _actually exists_ in Dapr, including CLI, SDKs, components-contrib +reported by the tool _actually exists_ in Dapr, including the CLI, Dapr SDKs, the components-contrib repo, or any other repo under the Dapr org. We make use of these tools ourselves and try to act on the output they produce; they From 4b711d2e2c4c161a0631139d1ec7386b85b76dfa Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:02:44 -0700 Subject: [PATCH 07/17] Update daprdocs/content/en/operations/support/support-security-issues.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index 22e3f7165..8929d96af 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -36,7 +36,7 @@ can be useful! We tend to find, however, that when these reports are sent to our mailing list they almost always represent false positives, since these tools tend to check for the presence of a library without considering how the library is used in context. -If we receive a report which seems to simply be a vulnerability list from a scanner we +If we receive a report which seems to simply be a vulnerability list from a scanner, we reserve the right to ignore it. This applies especially when tools produce vulnerability identifiers which are not publicly From 1bfd33671ab34f806bb1a489596fec38940d1930 Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:03:23 -0700 Subject: [PATCH 08/17] Update daprdocs/content/en/operations/support/support-security-issues.md Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index 8929d96af..58a700d37 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -31,7 +31,7 @@ scanning tool **unless** work has specifically been done to confirm that a vulne reported by the tool _actually exists_ in Dapr, including the CLI, Dapr SDKs, the components-contrib repo, or any other repo under the Dapr org. -We make use of these tools ourselves and try to act on the output they produce; they +We make use of these tools ourselves and try to act on the output they produce. can be useful! We tend to find, however, that when these reports are sent to our security mailing list they almost always represent false positives, since these tools tend to check for the presence of a library without considering how the library is used in context. From 4130f414ce62e0b5c0bc54a10fb33ba0ad8469b8 Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:03:30 -0700 Subject: [PATCH 09/17] Update daprdocs/content/en/operations/support/support-security-issues.md Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index 58a700d37..b5df82492 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -32,7 +32,7 @@ reported by the tool _actually exists_ in Dapr, including the CLI, Dapr SDKs, th or any other repo under the Dapr org. We make use of these tools ourselves and try to act on the output they produce. -can be useful! We tend to find, however, that when these reports are sent to our security +We tend to find, however, that when these reports are sent to our security mailing list they almost always represent false positives, since these tools tend to check for the presence of a library without considering how the library is used in context. From bb09742bcdd1ec78fac1707414bec6cd0acbd291 Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:03:41 -0700 Subject: [PATCH 10/17] Update daprdocs/content/en/operations/support/support-security-issues.md Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index b5df82492..628c0c5e5 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -51,7 +51,7 @@ The people who should have access to read your security report are listed in [`m 1. Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this - to be a security issue in Dapr, if that's not obvious. + to be a security issue in Dapr. 2. Put that information into an email. Use a descriptive title. 3. Send the email to [Dapr Maintainers (dapr@dapr.io)](mailto:dapr@dapr.io?subject=[Security%20Disclosure]:%20ISSUE%20TITLE) From 600a92fa75cebd1c1d7220f92e52f79cf7f26864 Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:04:28 -0700 Subject: [PATCH 11/17] Update daprdocs/content/en/operations/support/support-security-issues.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index 628c0c5e5..d0e25d0d6 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -58,7 +58,7 @@ The people who should have access to read your security report are listed in [`m ## Response Response times could be affected by weekends, holidays, breaks or time zone -differences. That said, the maintainers team will endeavour to reply as +differences. That said, the maintainers team endeavours to reply as soon as possible, ideally within 3 working days. If the team concludes that the reported issue is indeed a security From e4fef583d92ce5172d8de3370226c4933c3bc400 Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:04:33 -0700 Subject: [PATCH 12/17] Update daprdocs/content/en/operations/support/support-security-issues.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index d0e25d0d6..20c8b1ef1 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -67,7 +67,7 @@ team will discuss the next steps together as soon as possible, ideally within 24 hours. As soon as the team decides that the report is of a genuine vulnerability, -one of the team will respond to the reporter acknowledging the issue and +one of the team responds to the reporter acknowledging the issue and establishing a disclosure timeline, which should be as soon as possible. Triage, response, patching and announcement should all happen within 30 days. From 704aa762bb3dc8568e43fd4a66b30d83fdd4f71d Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:04:42 -0700 Subject: [PATCH 13/17] Update daprdocs/content/en/operations/support/support-security-issues.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index 20c8b1ef1..fbb79032c 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -63,7 +63,7 @@ soon as possible, ideally within 3 working days. If the team concludes that the reported issue is indeed a security vulnerability in a Dapr project, at least two members of the maintainers -team will discuss the next steps together as soon as possible, ideally +team discuss the next steps together as soon as possible, ideally within 24 hours. As soon as the team decides that the report is of a genuine vulnerability, From 7e53c198c3031e1427a2d58927b48d545342c4ff Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:04:51 -0700 Subject: [PATCH 14/17] Update daprdocs/content/en/operations/support/support-security-issues.md Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index fbb79032c..8d9987b4a 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -45,7 +45,7 @@ identifiers for further details, but cannot do the same for proprietary identifi ## Security Contacts -The people who should have access to read your security report are listed in [`maintainers.csv`](/maintainers.csv). +The people who should have access to read your security report are listed in [`maintainers.md`](https://github.com/dapr/community/blob/master/MAINTAINERS.md). ## Reporting Process From 9391173de8df30bfec8368b4df7fc9b790be3b7a Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:05:02 -0700 Subject: [PATCH 15/17] Update daprdocs/content/en/operations/support/support-security-issues.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 1 - 1 file changed, 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index 8d9987b4a..b04b9eb51 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -22,7 +22,6 @@ repositories above, then it's recommended to create a GitHub issue in the approp All that said, **if you're unsure** please reach out using this process before raising your issue through GitHub, Discord, or another channel. -caution! ### Explicitly Not Covered: Vulnerability Scanner Reports From 2a3c5a6b66a69914034b7df03b6ab370bf42d962 Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:05:10 -0700 Subject: [PATCH 16/17] Update daprdocs/content/en/operations/support/support-security-issues.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index b04b9eb51..d1bd6a351 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -20,7 +20,7 @@ issues which do not affect security. If the issue cannot be fixed by a change to one of the covered repositories above, then it's recommended to create a GitHub issue in the appropriate repo or raise a question in Discord. -All that said, **if you're unsure** please reach out using this process before +**If you're unsure,** err on the side of caution and reach out using the reporting process before raising your issue through GitHub, Discord, or another channel. ### Explicitly Not Covered: Vulnerability Scanner Reports From 6e125127750c1a87025c169922757e7d78de27c1 Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 21 Jun 2024 21:05:17 -0700 Subject: [PATCH 17/17] Update daprdocs/content/en/operations/support/support-security-issues.md Signed-off-by: Mark Fussell --- .../content/en/operations/support/support-security-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index d1bd6a351..1ae3fce27 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -8,7 +8,7 @@ description: "How to report a security concern or vulnerability to the Dapr main The Dapr project and maintainers make security a central focus of how we operate and design our software. From the Dapr binaries to the GitHub release processes, we take numerous steps to ensure user applications and data is secure. For more information on Dapr security features, visit the [security page]({{< ref security-concept.md >}}). -## Covered Repositories and Issues +## Repositories and issues covered When we say "a security vulnerability in Dapr", this means a security issue in any repository under the [dapr GitHub organization](https://github.com/dapr/).