▶ Security Issue Reporting and Disclosure Mechanism
1 How to Report Security Issues to the EdgeGallery Community?
If you find a suspected security issue, use the suspected security issue report template to report it. Upon receiving this report, the community vulnerability management team will confirm and fix the issue as soon as possible. After you send the email, your email will be confirmed within one working day, and we will provide more detailed information about the suspected security issue and the next-step handling policy within seven days of the report’s submission.
To ensure security, please use the PGP public key to encrypt your email before sending it.
Security email address：firstname.lastname@example.org
PGP public key:
——————————BEGIN PGP PUBLIC KEY BLOCK——————————
——————————–END PGP PUBLIC KEY BLOCK——————————
Table: Suspected security issue report template.
|Site Information||OS information Service scenario information|
|Details||If the issue is a public vulnerability, provide the CVE number. However, if the CVE number is not disclosed, provide the attack method and result, and attach any other necessary information, such as related code and logs.
2 Security Issue Disclosure Process
Upon receiving a suspected security issue, it will be handled as per the following process:
● Upon receiving a suspected security issue, the community security operations team will immediately confirm the integrity of reported information and severity of the issue.
● A community team will be organized to carry out technical analysis, confirm the details of the issue, and provide analysis reports.
● Upon confirming the vulnerability and completing the application for CVE, the vulnerability will be communicated, the subsequent fixing and release plan applied accordingly, and the security advisory (SA) will be prepared.
● The vulnerability patch development/verification will be completed and restricted disclosure initiated.
● The release patches and SA will be made public.
▶ Community Security Management Team
The security management experts in the community form the community security management team. The EdgeGallery security working group is committed to improving EdgeGallery security through architecture, documentation, code review, and vulnerability management.
The EdgeGallery security working group’s main objective is to ensure the security and reliability of the EdgeGallery platform and MEC applications, with its key roles including the following:
● Edge platform security
● Project contribution scanning as part of the project infrastructure
● Security during platform deployment
● Security authentication for MEC applications
● Vulnerability management
The main responsibility of vulnerability management is to coordinate the entire process from receival to disclosure.
● Vulnerability collection: Suspected security vulnerabilities discovered by community members and external researchers can be reported to the security working group through Jira.
● Vulnerability tracking and handling: The security working group will record the confirmed vulnerabilities in the EdgeGallery community, confirm and fix them, and continue to communicate with the reporter throughout the entire process.
● Responsible disclosure: Upon vulnerabilities being properly fixed, the security working group will release vulnerability information to the community in the form of SA.
▶ Community Security Advisory & Notice
1 Community Security Advisory (SA)
2 Community Security Notice (SN)