From owner-freebsd-security@freebsd.org Fri Jul 5 21:24:25 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58AA715D4F7A; Fri, 5 Jul 2019 21:24:25 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DF9868A778; Fri, 5 Jul 2019 21:24:24 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd44.google.com with SMTP id f4so6338994ioh.6; Fri, 05 Jul 2019 14:24:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=XVNdXQPAnBN2O/48V4jHqzYpKvyC5qVXpUWTzRXrLQY=; b=pWIq8km1fz5GmdgHuVLVrZTWLgTFCXHYw5Tnt8+yRt8t1jxaVXs+AStxhsCLIdaK6H pE+iyh7C/Hvj4nlIlHkwc+47dkfb+amK+RQAYKpArGb5PdD9mvUCIIsV5tp5TUvQhov4 F7Aae/JCKd0PtB1SaRBE4zSD97UXGUhGFqZSQ1W4ct9D+TP11tbsg0Gg4MfAqOQ6ynP5 crzuZx7bpxl1b2npUFSd35jKPf2ZM6h4KuGQSi62R6+VFXcpwE4OTw8whZCjLjknz92m DhAi3POQu6ro4g8Rp42YxyeOAdqLw2LcJghlgQUYQmcm1YBFIjMlBHMLUlXj1N8mcmUR ZFZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=XVNdXQPAnBN2O/48V4jHqzYpKvyC5qVXpUWTzRXrLQY=; b=UtyKpGUPYTOep7ZITWtBgfU1CXaKvIvVYCEQrup2MNql1MT5FvCogGK/Xmzn6zQFEr AgHkJgkFKCtBwSET14x0ixfem69DG383kF/YcqTTHndD9l01ujV2bj4cTLVMVEVgQ/Kv nq7jDsoLCKd4w4fuZLQqXcfQvumddY3KRQceS6wImcG8QIwMYtEOuXWZIoibzI0UzZ9M xiJKR1Xs3/yy5z2WSsoGEBmS1AbTiAN0S1KuhJt7iGWwE1nT/1CM79nVCAw4NQMQ/lA6 LFEKE8/dbl9DM/11SCHwZd9Z+NB/4HkVl8xzQr5WqJ6Qf+4WbEBO9MybcIi/ApdMZp/f K5BA== X-Gm-Message-State: APjAAAX/39H9ZC8rX7paDNOvEdXVNorocrTJoyX7HE7X6Y8UKh/QlIq0 2ESH60KaEiLo3sGE0M8JScXrZGLWjU0VLISUnUROs66d X-Google-Smtp-Source: APXvYqyeWqjROikDjezXzZqCdfrbAFmx00SIaFmiYzq/hEWz4LmxsjC6MuH6/yF0BjsnxZ4rediMODctu2FMLBuLZCw= X-Received: by 2002:a5d:9752:: with SMTP id c18mr6578945ioo.22.1562361863828; Fri, 05 Jul 2019 14:24:23 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:81c6:0:0:0:0:0 with HTTP; Fri, 5 Jul 2019 14:24:23 -0700 (PDT) In-Reply-To: <20190705060652.GA2974@server.rulingia.com> References: <20190705060652.GA2974@server.rulingia.com> From: grarpamp Date: Fri, 5 Jul 2019 17:24:23 -0400 Message-ID: Subject: Re: Review of FreeBSD Security Advisory Process: Incl Heads Up, Dates, Etc [cont: 5599 SACK} To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: DF9868A778 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.93 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.93)[-0.932,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-Mailman-Approved-At: Fri, 05 Jul 2019 22:04:03 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jul 2019 21:24:25 -0000 On 7/5/19, Peter Jeremy wrote: > On 2019-Jul-04 00:06:10 -0400, grarpamp wrote: >>Continued from beginnings in: >>https://lists.freebsd.org/pipermail/freebsd-security/2019-June/009996.htm= l > What benefits would be gained by Some have been, and more can be by others, outlined in the ongoing threads. > Security Officer is a volunteer position and their time is valuable. > requiring them to do more work to provide information Date_Received adding is not "more work" in any real sense. FreeBSD Project knows when it becomes aware of an issue, readily available in the very same email headers, forum post headers, etc... a minute's cut and paste into an Advisory. That's an easy first step. > that is mostly already available elsewhere? In the Subject example, and many others, no. Discovered and Received dates are often not given. >>Date_Discovered: Date of original discovery by discoverer. > This will be in the linked CVE. It is not present in the current CVE or Netflix or FreeBSD infosheets. If some external discoverer wants to play silly and coy with that Date_Discovered info, fine. However once Date_Received occurs as above, FreeBSD project should be denoting its Date_Received. >>Date_Received: Date project received notification (or >>observed any info), regardless from external or internal source. > > How/why is this relevant? Already explained... it is critical datapoint for user base to review evaluate community allocation of resources to appropriate levels of security response. They might choose months, weeks, days. But without Date_Received, everyone is left in dark, and allocations potentially not wherever they should be to meet general needs. > I agree that the project has been ignored > in some cases but that is generally discussed separately. FreeBSD ignored by external fake security purveyors? If that is the meaning, that would be a good thing, hopefully due to FreeBSD doing things toward real security that counter that. >>Issue should also be posted heads up to lists at this Received >>time. > > Definitely not. Early advice of vulnerabilities is very much "need to > know". Utterly False. If you are the owner... user, admin, entity or even customer with data or services running on... a vulnerable system, it is absolutely without question your need to know. Further, if FreeBSD is not posting a heads up upon its Date_Received of what it knows so far, it is putting itself in very questionable position of claiming to knowing best for all when in fact it does not even know for one, instead of rightly setting those decisions off to systems owners as best suits their own needs via heads up post. > Unless someone's expertise is required to rectify the vulnerability, > details regarding the vulnerability should remain private. What external does is up to them. Yet as herein, once it hits FreeBSD's doorstep, FreeBSD's responsibility is to users first and foremost to point of exclusivly. > The discoverers may > choose to publish early information As above, that's upon them and their cred game. Not forgetting that those discoverers that withold often get caught and look silly. > in which case, the Project may choose > to publicly reference that information. If FreeBSD is independant, it can refer and publish whatever it knows, when it knows it. If it is not, then those aspects of FreeBSD need very serious opening up to sunlight and review by the entire community. Same if FreeBSD were subject to "Donation Capture", that would need reviewed extremely closely. > Public announcement dates are generally not under Project control - where= a > vulnerability affects multiple vendors, there is almost always general > agreement on a common announcement date. This is a game, a fake news show meant to make the interviewees look good, typically monied vendors of closed proprietary garbage smelly swiss cheese product, everyone knows it, so just stop. > If the Project leaks information > about unannounced vulnerabilities, it will stop receiving advance > information about vulnerabilities - this definitely will adversely impact > the Project. If FreeBSD is or wants to playing the [vendor] game, wants to become a closed system, subject to such others, etc... it will never be known for pushing the much needed opensource HW and SW philosophy envelope any further ahead into the light through its openness action or even activism. There are enough closed models out there already. Don't let those closed actors fool and play you into their dark traps. FreeBSD hopefully is, and must be, better than that. Here's another example of secrecy serving no one other than dark forces (in this case, literally TLA's and nefarious actors around the world against owners users customers)... https://zerodium.com/program.html FreeBSD LPE is only worth $50,000, that's less than Windows. One can of course discuss in a separate thread the LoC vs Funds vs Usercount vs Fruits of Vuln therein. The the question of what great results from if FreeBSD community and or foundation funds just one fulltime dedicated security reviewer at $50k/yr... and how that news and results might generate more donations in turn... >> Does FreeBSD publish its vulnerability response process documentation? >> If not, would FreeBSD be open to such transparency? > You=E2=80=99re asking volunteers, performing a very time-consuming task, = to do even more work. That would be another great first step. And it's easily done and opened to entire community contribution via the Wiki, such that works doesn't have to come down to just N existing volunteers. Part of doing things such as these in the open, a wiki list of oppurtunitie= s, processes, etc is that it allows you to call for participants, new volunteers, people can drop by and see what interests them, can evaluate if they would like to add resources to gain from that investment [in their own system] in turn, etc.