Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Eliot Lear <lear@cisco.com> Mon, 26 October 2020 09:31 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE9A13A1A02 for <ietf@ietfa.amsl.com>; Mon, 26 Oct 2020 02:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h7Ye7r3k1WMH for <ietf@ietfa.amsl.com>; Mon, 26 Oct 2020 02:31:54 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 834063A1A11 for <ietf@ietf.org>; Mon, 26 Oct 2020 02:31:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12779; q=dns/txt; s=iport; t=1603704713; x=1604914313; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=5HUkuO0u3u7A7HD/dWp80UyDG+tNAZMKo9ZULh0Baik=; b=Hb4dbZrC/CX/PyO22fBek1LNyqbZSZhQTyUSO0KCQfIXfFeOgKolLVR4 kjm+yc0TT6D8s4ZG5vVMZtOIM7XXuse2vDAgmnAami3kYrndUdBysD4hV 7ZyToHibmV4JVwN1mw5P/JLmq8bVrfs5Vi727V7BXxZ+uvE0oga2hVi6C 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BsAAAYl5Zf/xbLJq1gGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBgg+BI1gvSSdRBAEyJAiEPIkFh2cmlAuGMYFpCwEBAQ0BASUKBAEBhEoCggwmOBMCAwEBCwEBBQEBAQIBBgRthWEMhXIBAQECAQEdBiYlCwULCQIOCicDAgJGEQYTCQuDEgGCXCAIB5JAmw92gTKEUkFEhHOBOIZkgzWDO4IAgREnDBCBT34+glELAQEBgSQFARIBgzgzgiwEkDanUIJ0gxaXYwMfgxePVo5xpD+LV4NfAgQGBQIVgWsjZ3AzGggbFTsqAYI+CTUSGQ2PRAEJh1aFQ0ADMAIFBisCBgEJAQEDCY1pXwEB
X-IronPort-AV: E=Sophos; i="5.77,417,1596499200"; d="scan'208,217"; a="30634739"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Oct 2020 09:31:49 +0000
Received: from dhcp-10-61-101-216.cisco.com (dhcp-10-61-101-216.cisco.com [10.61.101.216]) by aer-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 09Q9VkK8012846 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 26 Oct 2020 09:31:48 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E490AD78-7E2B-416E-B93D-2685B9F61BE3"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Date: Mon, 26 Oct 2020 10:31:46 +0100
In-Reply-To: <5081794697df44d8bd76b675cf08dc23@cert.org>
Cc: The IETF List <ietf@ietf.org>
To: Roman Danyliw <rdd@cert.org>
References: <5081794697df44d8bd76b675cf08dc23@cert.org>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Outbound-SMTP-Client: 10.61.101.216, dhcp-10-61-101-216.cisco.com
X-Outbound-Node: aer-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/GP0yg5dKgGp5H_mgUNwfJWp90DE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 09:31:56 -0000

Hi Roman,

Thank you for writing this down.  It’s a great initiative.  I would suggest some revision to accomplish two key points in support of the goal encouraging researchers to report problems to us:

Simplify the flow
Make clear their work is appreciated

Starting with the latter, the following statement in the document should be close to the first words read:

“The IETF values your critical analysis of its work.”

That sets the tone for the rest of the document.  You might modify it to capture Rich’s point, “While we are unable to pay bug bounties, The IETF values your critical analysis of its work.”

To make it clear who “your’’ is, you might want to simply state at the beginning of the document, “Dear security researchers”.  That way you can entirely nuke out scope, which most people will just find to be officiousness getting in the way of what they’re really trying to learn, which is how to disclose to the IETF.

Second, it helps to simplify by having a routing function.  Researchers and most others don't want to play Inside Baseball with us.  Since you are already advertising “protocol-vulnerability@ietf.org <mailto:protocol-vulnerability@ietf.org>” why not just let that be the lead point of contact, and say something like this:

If you believe you’ve discovered a protocol vulnerability, we would appreciate it if you were to email “protocol-vulnerability@ietf.org <mailto:protocol-vulnerability@ietf.org>” as well as the document authors.  You are also invited to take your findings to any open IETF working group or mailing list that you believe would be appropriate.  All of our work is public, and therefore, disclosing to a working group or mailing list is public.  In some cases, we may ask you to file an errata, and we will guide you through that process.

The idea here is that fewer words are better, and less process put in front of people that will cause them a bad taste is better.  I’m not suggesting those be the only words - talking about how to disclose privately is worth while (IMHO); also setting expectations is important.  Old cruft or non-IETF docs may never get fixed, and even newer stuff might take quite a while.  And encouraging participation in the fix is of course appreciated.  New stuff in drafts might be fixed very quickly!  But I don’t see that it is necessary or helpful to go into too much detail about the structure of our work.  The KISS principle applies.  Thus the diagram should be unnecessary.  If a diagram is necessary, it means KISS has been violated.

Finally, while we might not give bug bounties, we could at least toss these people a tee shirt or a mug, or if nothing else, honorable mention at meetings or in proceedings.  Again, it reinforces that we think their contributions are important.

Best regards,

Eliot



> On 23 Oct 2020, at 20:46, Roman Danyliw <rdd@cert.org> wrote:
> 
> Hi!
> 
> The Internet Engineering Steering Group (IESG) is seeking community input on reporting protocol vulnerabilities to the IETF.  Specifically, the IESG is proposing guidance to be added to the website at [1] to raise awareness on how the IETF handles this information in the standards process.  The full text (which would be converted to a web page) is at:
> 
> https://www.ietf.org/media/documents/Guidance_on_Reporting_Vulnerabilities_to_the_IETF_sqEX1Ly.pdf
> 
> This text is intended to be written in an accessible style to help vulnerability researchers, who may not be familiar with the IETF, navigate existing processes to disclose and remediate these vulnerabilities.  With the exception of creating a last resort reporting email alias (protocol-vulnerability@ietf.org), this text is describing current practices in the IETF, albeit ones that may not be consistently applied.
> 
> This guidance will serve as a complement to the recently written IETF LLC infrastructure and protocol vulnerability disclosure statement [2]. 
> 
> The IESG appreciates any input from the community on the proposed text and will consider all input received by November 7, 2020.
> 
> Regards,
> Roman
> (for the IESG)
> 
> [1] This guidance text would be added to a new URL at https://www.ietf.org/standards/rfcs/vulnerabilities, and then referenced from www.ietf.org/contact, https://www.ietf.org/standards/process/, https://www.ietf.org/standards/rfcs/, and https://www.ietf.org/topics/security/
> 
> [2] https://www.ietf.org/about/administration/policies-procedures/vulnerability-disclosure
> 
>