Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Eliot Lear <lear@cisco.com> Fri, 06 November 2020 10:52 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C65B3A1274 for <ietf@ietfa.amsl.com>; Fri, 6 Nov 2020 02:52:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rv37bTgzC5L9 for <ietf@ietfa.amsl.com>; Fri, 6 Nov 2020 02:52:00 -0800 (PST)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0233F3A11EC for <ietf@ietf.org>; Fri, 6 Nov 2020 02:51:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=23733; q=dns/txt; s=iport; t=1604659898; x=1605869498; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=uHrxi9yszJMRuNcCAYhUuFquxyScH83bFx4elt2qhbE=; b=Elo130zb+3D5NSamrNBLhAuAxrAMWtLoo4ewebpZlw6hqPBHvWchlzq2 bmeaRbA+Ul4ZRuGlaP9UvXzTnHqjwAcFA8MxvZAKQEzdeWUNumFclKoTe aUAeSzdZFoCUBfnHDQ91U6ea1fK+7FfRwhSaKENuKAdVLYSAyLRW3wdTl o=;
X-IPAS-Result: A0DYAgAFKqVf/xbLJq1iHAEBAQEBAQcBARIBAQQEAQGCD4EjWIEiVQEyLoQ9iQWIGppDgWgLAQEBDQEBJQoEAQGESgKCDyY4EwIDAQEBAwIDAQEBAQUBAQECAQYEcYVhDIVyAQEBAwEdBksLBQsLDgMEAQEBIAcDAgJGCQgGExQHBIMHAYJmIA+vGzx2gTKFV4RlBoE4jVWCAIE4HIFRfj6CXQKBIAoBEgFXgmEzgiwEkGmWIZEcgneDGoVzhmCLIAMfgxiKEoQsdyqOeZ5HkWuDYgIEBgUCFYFrI2dwMxoIGxUaISoBgj4+EhkNj0QBCAGCQopZQAMwCy0CBgEJAQEDCY5IAQE
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="5.77,456,1596499200"; d="scan'208,217"; a="30917826"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 06 Nov 2020 10:51:33 +0000
Received: from [10.61.211.66] ([10.61.211.66]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 0A6ApWOu023818 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 6 Nov 2020 10:51:33 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <0B527BC4-E6F3-49B7-993A-CC239DA88ABA@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4D187927-B7D1-4400-954F-29A31A237903"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Date: Fri, 06 Nov 2020 11:51:32 +0100
In-Reply-To: <db801fd08d8b4a3ab8b227311cf30337@cert.org>
Cc: The IETF List <ietf@ietf.org>
To: Roman Danyliw <rdd@cert.org>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com> <362d68dd6117452f925322f8180de423@cert.org> <B864FFAE-3E3E-4CEF-B832-4552C8BAE70B@cisco.com> <28e48db9700d49dd97dc0023761a8906@cert.org> <0E4F9F37-6907-496F-BBCA-112FE6CA75FB@cisco.com> <0112bba51cd441d786287b3fb74c3ab0@cert.org> <db801fd08d8b4a3ab8b227311cf30337@cert.org>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Outbound-SMTP-Client: 10.61.211.66, [10.61.211.66]
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/ISIWelC5uaHVEmIzHdJQzfNy_HE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2020 10:52:10 -0000

Thanks, Roman.  I appreciate the work.  Please take all of these as suggestions for your consideration, and nothing more (e.g., I’m not pounding my shoe on the table).

My thinking is this:

> Detailed guidance to navigate the disclosure of and remediate of vulnerabilities in the IETF is documented below.


… combined with The Fully Monty below might still leave security researchers with the feel that the onus is on them to drive a process that they may see as daunting.  It is only their responsibility if they wish to take it on.  They may find that it’s easier to talk to a C-Net reporter instead, and then have someone else pick up the work and go through our process if they wish, or not.

The solution for this is probably simple enough: a slight tonal change and a click.  That is:

> Click <here> if you would like to see the full explanation of the process for disclosure and remediation of vulnerabilities.

That gives them a choice in terms of how far down the rabbit hole they want to go with us, but makes clear that there is at least a reporting path if they want to start slowly.

A few other comments:

The scope paragraphs are overly complex.  They can be reduced to the following:

> You can use this disclosure policy to report vulnerabilities in our protocols and technical specifications that you find in either RFCs or our working documents, Internet-Drafts (I-Ds).  You should report specific implementation vulnerabilities to their maintainers, and not to us.  If you spot a vulnerability on our web site or tools, click <here> to report it, and it will be reviewed by the appropriate tooling team.


If you feel more comfortable putting this in passive, that’s a stylistic thing.  I’m an informal guy.

The section title, “Expectations from the IETF” doesn’t quite seem right.  “From” doesn’t usually follow “Expectations”, and the writing below doesn’t make a correction obvious.  I won’t claim to be the world’s best grammarian, but perhaps that’s worth a quick review.

Thanks again for getting this done.

Eliot

> On 6 Nov 2020, at 03:45, Roman Danyliw <rdd@cert.org> wrote:
> 
> Hi Eliot!
>  
> Merging additional feedback on the executive summary and going for even more simplicity on the process so that the catch-all alias can be mentioned quickly, see the following:
>  
> https://github.com/ietf/vul-reporting-guidance/commit/edd6ac432d106482a09199bfb9a139c934249577 <https://github.com/ietf/vul-reporting-guidance/commit/edd6ac432d106482a09199bfb9a139c934249577>
>  
> Roman
>  
> From: Roman Danyliw 
> Sent: Wednesday, October 28, 2020 10:53 AM
> To: 'Eliot Lear' <lear@cisco.com <mailto:lear@cisco.com>>
> Cc: The IETF List <ietf@ietf.org <mailto:ietf@ietf.org>>
> Subject: RE: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
>  
> Hi Eliot!
>  
> From: Eliot Lear <lear@cisco.com <mailto:lear@cisco.com>> 
> Sent: Wednesday, October 28, 2020 6:34 AM
> To: Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>>
> Cc: The IETF List <ietf@ietf.org <mailto:ietf@ietf.org>>
> Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
>  
> Hi Roman,
>  
> 
> On 27 Oct 2020, at 20:06, Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>> wrote:
>  
> Hi Eliot!
>  
> [Roman] In my view, the proposed text effectively says “this is the IETF process and as a last resort, please use the catch all alias”.  My read of your tighter text is the opposite, “here is a new reporting  alias, consider also getting involved in the IETF processes”.  Put in another way, we are actively steering away from established processes (e.g., using the mailing lists) and preferring the triage alias as the first step.  With the reduced text, we are not longer explaining “all the usual processes”.
>  
>  
> Ok, Here’s a slightly tweaked version of that text to address how you read the doc:
>  
>  
> If you believe you’ve discovered a protocol vulnerability, we very much welcome your contribution.  
> You are also invited to take your findings to any open IETF working group or mailing list that you believe would be appropriate, in order to discuss protocol improvements to address any vulnerabilities.  If you do not know which IETF working group or mailing list to use or otherwise need help with our processes, we invite you to email “protocol-vulnerability@ietf.org <mailto:protocol-vulnerability@ietf.org>” as well as the document authors, and we will assist you.  All of our work is public, and therefore, disclosing to a working group or mailing list is public.  In some cases, we may ask you to file an erratum, and we will be happy to guide you through that process.
>  
>  
> Again, fewer words are better.  And again, adding a few sentences about expectations is just fine.  This should make clear that the mailing list is intended to provide assistance, not triage, and it is entirely optional.
>  
> Does that make it clearer that we’re not gate keeping?
>  
> [Roman] Indeed it does.  I’d recommend a bit more wordsmithing based on the other feedback provided on payment and inclusion, but the substance is there for me.  Let me get the text into github so edits are easier to manage.
>  
> [Roman] To check that we’re on the same page, I see a future version of text like this as the up-front summary.  I believe we still need the existing detailed text to describe the detail process by which to engage the IETF (alluded to in this style of summary).  Agreed?
>  
> Regards,
> Roman
>  
> Eliot
>  
> Eliot