1. Vulnerability Response

Vulnerability handling process

Vulnerability reception: After an external security researcher discovers a vulnerability, the vulnerability verification/vulnerability exploit details are encrypted with the PGP public key and sent to the secure mailbox [security@edgegallery.org].

Vulnerability verification: After receiving the reported vulnerability, the community vulnerability management team verifies the vulnerability and judges the validity of the vulnerability. The results include valid vulnerabilities, repeated vulnerabilities, and non-vulnerabilities.

Vulnerability impact analysis: Analyze the severity and scope of the vulnerability impact.

Apply for CVE: Prepare materials and initiate a CVE application to the MITRE website.

Vulnerability patching: Put forward a vulnerability patching suggestion and distribute it to the person in charge of the corresponding module for patching.

Vulnerability disclosure: Review and issue Security Advisory SA (Security Advisory).

2. Vulnerability Management Team

EdgeGallery Vulnerability Management Team (VMT) was established by security management experts in the community. The EdgeGallery vulnerability management team is committed to improving EdgeGallery security through architecture, documentation, security testing, security quality requirements, code review, and vulnerability management. VMT is responsible for the overall disposal process of EdgeGallery’s vulnerability response collection, analysis, verification, repair and disclosure.

3. Main responsibilities of VMT

  •  Vulnerability source monitoring: Responsible for receiving security vulnerabilities reported from outside.
  • Vulnerability verification: According to the vulnerability information provided by the reporter, verify whether the vulnerability exists.
  • Vulnerability impact analysis: VMT organization vulnerability impact analysis. If the vulnerability is reported externally, the analysis result must also be fed back to the reporter.
  • Applying for CVE: VMT is responsible for CVE application, including material preparation, application submission, and communication of application results with the person who reported the vulnerability.
  • Vulnerability distribution and patching: Put forward patching suggestions for the confirmed vulnerabilities and distribute them to the person in charge of the corresponding module for patching.
  • Vulnerability disclosure: Responsible for writing, organizing and reviewing the security advisory SA (Security Advisory), and finally releasing it.
  •  Internal and external communication: Communication and coordination with the person who reported the vulnerability and the security/development leader of each module in the community.
  •  Infrastructure guarantee: Guarantee the normal operation of vulnerability scanning/vulnerability processing tools, and propose optimization requirements for security tools.

4. VMT main members, responsibilities and contact information

General contact email: security@edgegallery.org

Zhang Beiyuan [zhangbeiyuan@huawei.com] Responsibilities: internal and external communication, vulnerability distribution and repair.

Zhou Yanbing [zhouyanbing.zhou@huawei.com] Responsibilities: vulnerability verification, vulnerability impact analysis.

Hu Bing [hubing62@huawei.com] Responsibilities: vulnerability source monitoring, vulnerability verification, application for CVE, vulnerability disclosure, infrastructure protection.

Note: If the sending content contains sensitive information (such as vulnerability verification/vulnerability exploit details), please use [PGP public key] to encrypt the sending content.

5. Vulnerability report

How to report security vulnerabilities to the EdgeGallery community?

EdgeGallery welcomes external security researchers to discover and report security vulnerabilities to jointly improve the security of EdgeGallery. If you find a suspected security vulnerability, please do not spread it. Please fill in the vulnerability information according to the [Security Vulnerability Report Template] (please fill in the detailed vulnerability verification process and the necessary POC/EXP code so that we can confirm the vulnerability more quickly) and send it Send an email to the EdgeGallery security mailbox (security@edgegallery.org), and the EdgeGallery community will arrange for personnel to contact you within 3 working days to provide timely feedback on the vulnerability confirmation results, vulnerability processing progress and other information.

Note: If the content to be sent contains sensitive information (such as vulnerability verification/vulnerability exploit details), you are advised to use the dedicated [PGP public key] for reporting security vulnerabilities to encrypt the content.

Vulnerability reporting process

6.PGP public key

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQINBGDn+RUBEACzRTBfzSU+LDhhjXh4e6gzm8YhQOsHFI8Rd/jWd8yP4pknKq2I
cDLCQgZS93foVDStYUZaCNxJ5+8/sBqvZS8d8OH6/vCU45+V5JUgwfqoImcbj88o
qndTxerVZa7c9EyMjIUDir2+hf+WvUFDwTBJhsdt3NJpYsBc4CgNjF+1GeoFIvqr
94fhE1PsTr+ArvawswmNY3OTvjGC8gvJRkZpi+pjSUqwm1kKwMhKVjk+EsBVtOYl
iD/Yfxj3fZ/Cmk9oRt7HpA8Gy8iDem/HIbAe3CKAIOzhiLo7M3CmlyVdvvHrPW8x
Q+BWkZ+EcojqfwyyhrxGwtZFLA+YVGnobnQSGl/uhQ3EdQ0R5N1NAuKzFzY+AvZZ
nxQkdKAYVt0f5yPOPw97Ukby7XHR2xp/Ij2KkPdq55SPHfEk/WAx4qmcIu6esuHA
gXs7F+kqw6bQw0HypP7Ur2Hqj77USNvzDh/PlqWix0nmeS5auST7B3Rx6ZH2XArW
fFSLlCKS7J5hz5L3jyActdAzc6EGZm8Nzemv1bPPSVfWBONKi6WQDI8Xc51O3YqW
yEDrIY7SCED1vHJojpblK5jGj3XtWcgOa+N6PuLCmwIKoGjhbFVngQT0yw1SINAj
G2BDx2MKDMU3c1bau5G3WEtDPXS2WukxXRbDKSnKK+HHUiXLunhWQ5ckXwARAQAB
tAtFZGdlR2FsbGVyeYkCVAQTAQgAPhYhBI+nAmuNv/WWaSe+vdMw3RIz63fnBQJg
5/kVAhsBBQkDwjerBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENMw3RIz63fn
B8oP/0jsiuCd9gEReJrqJwe41hp1CG9YtmJ9slKyAqKNytvmMy3RBNlxHoLf5ia/
fT6zDSCqpJpPW6hhWuY/sNPifsvkXj62HU92kUkyp6urijz4jH+RUo4nX20Tc5zZ
MfhvBuxOFGLJl41O9FG3OV4ivn89p92vY+fDxO/n/vb61zeiItu/MvKX1EE9Ney8
2DET8IOa045D1gkeNLykUwYqyU9V8AzXV8fjpHEqlG+HYeM6792qsjo0Oznbg4pL
/vbBJSVJgkVhACfRjo9cCXSmkD3m5Yg8ACn7IV4plRQ4SZW/BbrPv+17fZHySa7Z
09ye1SlwIsWxrMYYNjKxVzQjLubJSE1h7TMcRgQcLCB1Q0hUCjDoPxNrm3wOQoYq
Y9J9L/I5+3BX+EbMth9CQuseh32+NlUUdiqJLgx6EBVmoMVfoB5xvKYSEw9DRF9O
u6ERKSRoZ5IcZyIrzK0iGh9lgvU8GoK0hl2HBYqTmmdPOuJTY6cCKQJZl8sMrM14
obQjpVI9ITrBpbglkYNmGsWXALHSTXhPUYoIjzGhCBJtQn6EQd5IcN2rqK+vErj4
xF5JLvf+EacUGndMpGCBE5WAFwPlI1gbk70sVyu3xVUFqLDaaHRZZ3SbB4OBtasS
+R2f2BfUW+YkuEj6kveezg2tggiQ86wTjKJTk1vzs2Bcl1ohuQINBGDn+RUBEAC3
F7iuiJotHXm0d4sTTgsGuDXFmYQusgqb6kW28OoWflrq42hW4h1qUJDeUanXiSwO
L1vF6PwniaesBit/lhPDHxv2fQBE2PQ/VZZM8PjAskPznSYcakimeJkuqIF3LCIF
6tA3N7zCXRyX5nV/g8XAzvsaO9sub4sZfrhH992SY6/mdx1IDP36dbZ0rOv//4vv
8JmdM2St3LSQGlSaP5E749bl5g9zaz/G62/N3X1eV+oQqRd+6XVui0HcL7lBoeYL
4KT0mGq1+1hUf3UMFBWswWf/7WB70mTvoWS6YHVjlKSO0G9oSiEDTu4pQfAqCsIZ
DMZYIT4taoRn9bNA5lg8kEa7aMD/yPIi482V05yJJIlwQotthDArJfr64K9rwiJk
subcnw6BvyTRh8dxcoUQbiMjMtLg0oavJgPMNS4d8M+h03tRzBF46G6WEME1FMCN
1jYKf5dSpJ0V+LUpFXRhqNvmi2xg2jHcJ/YHlxJGHp6Q5yd35dtwhcYbBHcPPCJr
CAUtVq+bEagbghEBbomSe7bpM+T3slMRMgJK/lmXI1VjFK27Dq9MxkkSB8mJMLu4
EUvndg+Fd3ImuLxhZvcZJB2KmzmcDPa5WZwNQaJNYGn+OfcakGRxSiVT/IuqE5Kx
EWldXjd89V9V/h4dRGVpz3WMbyna7xGAIOee1MC43QARAQABiQI8BBgBCAAmFiEE
j6cCa42/9ZZpJ7690zDdEjPrd+cFAmDn+RUCGwwFCQPCN6sACgkQ0zDdEjPrd+en
VBAAhbkBT+icHkE/YIBrNnQvGwdeWJBGPOFbqlhoGrt/5S4FIZvHf2qbG7MRfaby
+kbfwmUZ7muIHckdtE8jd3VSesTykkXnYhGSs7I4+BDDhqaJcl1/J3dt+/N3bVnJ
aH0mne3VMkkJtdKJ9vYpys4cCds3bureOMeJ6ASXgMy/buYAAjgpJAQKhlYPgW/t
UwZYECrKLfZPtnB5rl9O0qaXFBn4tTzL88rrG3WpQ1KPr0nm0QuKXqjMZhGIUj7t
mYWnCP2dguP3P7ZoRWTNZeO3yVQzm1DdeLDj5JgqvFLMVsLni0JUQCNZYozQmSz/
JeKBflaXAZ321O8vfJFyvtciJaDAEPW67kpK0IJoAMdnyaFfd3ipe+aTVGNuFY2U
WxZLPGB89COcmHhTRytxDGQuNGjdTfn0CfzoEMawV85y3UbqLz7AKQ982Y3F1ksp
W5lqpd+XMVwoKjLNrqOoX8X1A+zYfu3i5s1UbZB27/uBG7hlhMjPejAKEtReMvNQ
DDtO917yf9fQCOKvIA6BxUv15M9ij4PtA2Cq8WXS//HXo+5F0sinlQyshJ5oFPub
PtjZoB5pDuxy2/RDiYPtyhiiusZWMn0V1ChcWZSr4uR1Jfw5zqJaKOFtwK5wBKw8
ZpGPHLeICWa0ZHoQIjm42YCr20+8AA9c9kUpfiqKz4wXAWE=
=1kOJ
—–END PGP PUBLIC KEY BLOCK—–