Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Roman Danyliw <rdd@cert.org> Fri, 23 October 2020 18:46 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7392A3A10D2 for <ietf@ietfa.amsl.com>; Fri, 23 Oct 2020 11:46:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqSk3WpUyBtE for <ietf@ietfa.amsl.com>; Fri, 23 Oct 2020 11:46:17 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4F263A10D0 for <ietf@ietf.org>; Fri, 23 Oct 2020 11:46:17 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09NIkGFL022278 for <ietf@ietf.org>; Fri, 23 Oct 2020 14:46:16 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 09NIkGFL022278
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1603478776; bh=qcvzMQT+6asrde9gCQVDg+2qJr5I5M60Gm+V9FMZovE=; h=From:To:Subject:Date:From; b=hhaKHJUxFsWfMbFcimVNxJLgmuaDCOo8lsVBWFvdixPfBvD2gifMGdq8yb3HbzDhh EpGIoq+95dnidzdSnWUcuqkGb/9/OcqMuJb2aHu/paq2pCn4W37rk/mMFq0xhZ+v// JbpbRmmJnyJPuyQFedvBGhVpQxLV9pz3hihmbaPM=
Received: from MORRIS.ad.sei.cmu.edu (morris.ad.sei.cmu.edu [147.72.252.46]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09NIkCAO011170 for <ietf@ietf.org>; Fri, 23 Oct 2020 14:46:12 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MORRIS.ad.sei.cmu.edu (147.72.252.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Fri, 23 Oct 2020 14:46:12 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Fri, 23 Oct 2020 14:46:12 -0400
From: Roman Danyliw <rdd@cert.org>
To: "ietf@ietf.org" <ietf@ietf.org>
Subject: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Thread-Topic: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Thread-Index: Adapa+D5Cfcs8r0xT9Wg091feiESVg==
Date: Fri, 23 Oct 2020 18:46:10 +0000
Message-ID: <5081794697df44d8bd76b675cf08dc23@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.203.69]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/KNbzDAOCrs4ssGZ3q2P4GooTFbg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2020 18:46:19 -0000

Hi!

The Internet Engineering Steering Group (IESG) is seeking community input on reporting protocol vulnerabilities to the IETF.  Specifically, the IESG is proposing guidance to be added to the website at [1] to raise awareness on how the IETF handles this information in the standards process.  The full text (which would be converted to a web page) is at:

https://www.ietf.org/media/documents/Guidance_on_Reporting_Vulnerabilities_to_the_IETF_sqEX1Ly.pdf

This text is intended to be written in an accessible style to help vulnerability researchers, who may not be familiar with the IETF, navigate existing processes to disclose and remediate these vulnerabilities.  With the exception of creating a last resort reporting email alias (protocol-vulnerability@ietf.org), this text is describing current practices in the IETF, albeit ones that may not be consistently applied.

This guidance will serve as a complement to the recently written IETF LLC infrastructure and protocol vulnerability disclosure statement [2]. 

The IESG appreciates any input from the community on the proposed text and will consider all input received by November 7, 2020.

Regards,
Roman
(for the IESG)

[1] This guidance text would be added to a new URL at https://www.ietf.org/standards/rfcs/vulnerabilities, and then referenced from www.ietf.org/contact, https://www.ietf.org/standards/process/, https://www.ietf.org/standards/rfcs/, and https://www.ietf.org/topics/security/

[2] https://www.ietf.org/about/administration/policies-procedures/vulnerability-disclosure