RE: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Roman Danyliw <rdd@cert.org> Mon, 09 November 2020 22:52 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D046D3A14BF for <ietf@ietfa.amsl.com>; Mon, 9 Nov 2020 14:52:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y9fJFF8-190y for <ietf@ietfa.amsl.com>; Mon, 9 Nov 2020 14:52:55 -0800 (PST)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18A503A14BD for <ietf@ietf.org>; Mon, 9 Nov 2020 14:52:46 -0800 (PST)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 0A9Mqjob030017 for <ietf@ietf.org>; Mon, 9 Nov 2020 17:52:45 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 0A9Mqjob030017
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1604962365; bh=kwjLNU8UR1OfGZ/+dVIPSapYAaqwognlu33IXoYFm9E=; h=From:To:Subject:Date:References:In-Reply-To:From; b=T9MTONE2zAG0gcLMHv+vKtjUCtX9LFeIvhIqO4RtmXsNGUeI9JFYK5IevxE41fDv9 ZMVnynzzOQrVlck0ykypnpZwikKNkGg2K8ooavAYO4qVELffK636Phtf/dSeFzcOh1 NHXAPQIntbJm7aNh1bPKfvJHEb8SWbIZCNSUNmd8=
Received: from MORRIS.ad.sei.cmu.edu (morris.ad.sei.cmu.edu [147.72.252.46]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 0A9Mqi6x002138 for <ietf@ietf.org>; Mon, 9 Nov 2020 17:52:44 -0500
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MORRIS.ad.sei.cmu.edu (147.72.252.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Mon, 9 Nov 2020 17:52:44 -0500
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.2106.002; Mon, 9 Nov 2020 17:52:44 -0500
From: Roman Danyliw <rdd@cert.org>
To: "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Thread-Topic: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Thread-Index: Adapa+D5Cfcs8r0xT9Wg091feiESVgEBQXWgAl5XUzA=
Date: Mon, 9 Nov 2020 22:52:44 +0000
Message-ID: <ac0d5d3891894d6f9f422cd2aed7b412@cert.org>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <64f8fcd57a124592bee73747b89d7fa0@cert.org>
In-Reply-To: <64f8fcd57a124592bee73747b89d7fa0@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.203.59]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/jCAXRVUSojRIeD1U18FxSMa5vMc>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2020 22:52:57 -0000

Hi!

Thank you for all of the public and private feedback on this proposed text.  As a result, I think we have much better guidance to post.

There are a few outstanding editorial issues to address which will occur prior publishing.

Thanks again!

Regards,
Roman

> -----Original Message-----
> From: Roman Danyliw
> Sent: Wednesday, October 28, 2020 5:30 PM
> To: ietf@ietf.org
> Subject: RE: Call for Community Feedback: Guidance on Reporting Protocol
> Vulnerabilities
> 
> Hi!
> 
> To make it easier to provide updates, the originally referenced PDF has been
> converted to markdown and added to github:
> 
> https://github.com/ietf/vul-reporting-guidance
> 
> Feedback on the text submitted to date with replies to this thread is tracked via
> issues here:
> 
> https://github.com/ietf/vul-reporting-guidance/issues
> 
> Regards,
> Roman
> 
> > -----Original Message-----
> > From: ietf <ietf-bounces@ietf.org> On Behalf Of Roman Danyliw
> > Sent: Friday, October 23, 2020 2:46 PM
> > To: ietf@ietf.org
> > Subject: Call for Community Feedback: Guidance on Reporting Protocol
> > Vulnerabilities
> >
> > Hi!
> >
> > The Internet Engineering Steering Group (IESG) is seeking community
> > input on reporting protocol vulnerabilities to the IETF.
> > Specifically, the IESG is proposing guidance to be added to the
> > website at [1] to raise awareness on how the IETF handles this
> > information in the standards process.  The full text (which would be
> converted to a web page) is at:
> >
> > https://www.ietf.org/media/documents/Guidance_on_Reporting_Vulnerabili
> > tie
> > s_to_the_IETF_sqEX1Ly.pdf
> >
> > This text is intended to be written in an accessible style to help
> > vulnerability researchers, who may not be familiar with the IETF,
> > navigate existing processes to disclose and remediate these
> > vulnerabilities.  With the exception of creating a last resort
> > reporting email alias (protocol-vulnerability@ietf.org), this text is
> > describing current practices in the IETF, albeit ones that may not be
> consistently applied.
> >
> > This guidance will serve as a complement to the recently written IETF
> > LLC infrastructure and protocol vulnerability disclosure statement [2].
> >
> > The IESG appreciates any input from the community on the proposed text
> > and will consider all input received by November 7, 2020.
> >
> > Regards,
> > Roman
> > (for the IESG)
> >
> > [1] This guidance text would be added to a new URL at
> > https://www.ietf.org/standards/rfcs/vulnerabilities, and then
> > referenced from www.ietf.org/contact,
> > https://www.ietf.org/standards/process/,
> > https://www.ietf.org/standards/rfcs/, and
> > https://www.ietf.org/topics/security/
> >
> > [2] https://www.ietf.org/about/administration/policies-
> > procedures/vulnerability-disclosure
> >