▶ Security Issue Reporting and Disclosure Mechanism
1 How to Report Security Issues to the EdgeGallery Community?
If you find a suspected security issue, use the suspected security issue report template to report it. Upon receiving this report, the community vulnerability management team will confirm and fix the issue as soon as possible. After you send the email, your email will be confirmed within one working day, and we will provide more detailed information about the suspected security issue and the next-step handling policy within seven days of the report’s submission.
To ensure security, please use the PGP public key to encrypt your email before sending it.
Security email address:security@edgegallery.org
PGP public key:
——————————BEGIN PGP PUBLIC KEY BLOCK——————————
mQENBF8G3IUBCADF35CV1a8zSu2MZDVhc/VxDtKxX5swTOL0jsNIAvDrZX9rYI9F
QGk27uQRCLVssSv6CRFAMSLQhsgqZm4N1HDvIcjrWEGK8cIIAgljYd59L+S6tMlM
Vx1dxOrahxTWgu/Rh9OCDxyqwVbia8VfYUeVkm64btXt1ECXGiIB1Q88BF2+4xvK
K4SstjUnKhMUv71ExQojlfplT7apVZ8ZVN6Ncb5XjK3KQsS8+4B2pkOFv4fUV9Xx
gnZ3Ae4mm5OQ+jHAzEEUntgzGnP9Xbz3LVtWcUtaWViJfFJcasoj9Zk/Q+LvFdzr
SRjEpaZj6Z/tGfMThHJAzmGfd8eeyE7a6HnjABEBAAG0L2VkZ2VnYWxsZXJ5X3Nl
Y3VyaXR5IDxzZWN1cml0eUBlZGdlZ2FsbGVyeS5vcmc+iQFUBBMBCAA+FiEErjom
vODc7Jujsi7EebnIvPVgGPwFAl8G3IUCGwMFCQlnDLsFCwkIBwIGFQoJCAsCBBYC
AwECHgECF4AACgkQebnIvPVgGPxWZAf/cwoeCLACu5blKu3klaCpjeyhzrfQr2CI
VKrwIAB8FcZZzjaORlu47fgDyPAVhyjFJl4zc+tx2qZIk9JHAG5Klh7uaWcocK1d
TQjlknHBW7Aj3rxsem1Gh38z6NyzVByleijp62rLctD0LR0C5ySj58mjJ/5E+l6J
3sv/WPaAu82AzaWZUdGdXFoImkI1S9VEeC7RJ6X+LZeQijXWtEISIS9+3ptpBRa7
pHTn3CRTreD2FZcWFmIJTSRuXza1gLqCUlV0A8pPPNTTGBMykiOjQTc/dwQBqVko
wnYYcT+OVzFsgp3+iWObdX9xO3ejE68qDMKa8krZporq40idA1Z597kBDQRfBtyF
AQgArAspG2LotsPNh9BTrGDt+Bd5HwIIJMZOyiidd2pFY/GIWfGL0mRvlctClg23
0vR4GahKzk1rhP/ibpRvUMG/Qt+wwg2nQpM/Ey8fjYNXRYjlv6Pw2+g23oWA6c3j
PhR6IT2JuUkvdsPB8Jfd3tlDkifOwYbHVbCv5YSx6F6XHFR6pjC9Wm7SiUU8mP+i
nLK39XZxJk2po9ajBe+IqP/NDVNLo6CobeSlYqcap4FNsTbrG62EGEn0z2kUqVaI
ZEVhur/PSOSeRu1ThAOkkSu9siaXSZtj3ZC6DrbPZljrwLH5ZzkHdAlcgGC5n7gZ
z6RQJGsJicjn9DRtbnovY1b+yQARAQABiQE8BBgBCAAmFiEErjomvODc7Jujsi7E
ebnIvPVgGPwFAl8G3IUCGwwFCQlnDLsACgkQebnIvPVgGPyvRwgAme0z4W/jmcLu
ewJh5gsL7Gc7kCY327zrFu1K24zKgDDECl5ACDUXGZ74hL+WqYWdUOkDGFFBxa5S
uqIgXR35VkkPkecwhZ0WY0ofLIPMAaKur6O3VVKiB2kVRTrqXUNO7/yKyDhirS6g
oXK4vLWkV+Jhu0LYeLeSt/CEstUpmzQz0jYdk0jxnWah7T03SnuBSBBZrSZYBFrW
9SiM+slwgMWC1TOwqW/jJaLysDi/7c0wDee3cpsdASL+6GHWRDK6EWZ79DTB1bO6
Iq2YsidCPX+QEh3o1IHYBtlqNgKIul42plTrxfu/1oxiIjdT4dtkQ7fbIrPSwA6b
N/m7e/KL4A==
=p+CN
——————————–END PGP PUBLIC KEY BLOCK——————————
Table: Suspected security issue report template.
| Content | Related Information |
| Reporter | |
| Contact Information | |
| Organization Information | Individual/Team/Corporate |
| Version Information | |
| Severity | Critical/Major/Minor |
| Issue Description | |
| Site Information | OS information Service scenario information |
| Impact Scope | |
| Details | If the issue is a public vulnerability, provide the CVE number. However, if the CVE number is not disclosed, provide the attack method and result, and attach any other necessary information, such as related code and logs. |
| Suggestion |
2 Security Issue Disclosure Process
Upon receiving a suspected security issue, it will be handled as per the following process:
● Upon receiving a suspected security issue, the community security operations team will immediately confirm the integrity of reported information and severity of the issue.
● A community team will be organized to carry out technical analysis, confirm the details of the issue, and provide analysis reports.
● Upon confirming the vulnerability and completing the application for CVE, the vulnerability will be communicated, the subsequent fixing and release plan applied accordingly, and the security advisory (SA) will be prepared.
● The vulnerability patch development/verification will be completed and restricted disclosure initiated.
● The release patches and SA will be made public.
▶ Community Security Management Team
The security management experts in the community form the community security management team. The EdgeGallery security working group is committed to improving EdgeGallery security through architecture, documentation, code review, and vulnerability management.
The EdgeGallery security working group’s main objective is to ensure the security and reliability of the EdgeGallery platform and MEC applications, with its key roles including the following:
● Edge platform security
● Project contribution scanning as part of the project infrastructure
● Security during platform deployment
● Security authentication for MEC applications
● Vulnerability management
The main responsibility of vulnerability management is to coordinate the entire process from receival to disclosure.
● Vulnerability collection: Suspected security vulnerabilities discovered by community members and external researchers can be reported to the security working group through Jira.
● Vulnerability tracking and handling: The security working group will record the confirmed vulnerabilities in the EdgeGallery community, confirm and fix them, and continue to communicate with the reporter throughout the entire process.
● Responsible disclosure: Upon vulnerabilities being properly fixed, the security working group will release vulnerability information to the community in the form of SA.
▶ Community Security Advisory & Notice
1 Community Security Advisory (SA)
2 Community Security Notice (SN)
