Add draft of ecosystem triage guidelines #508
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # Node.js Ecosystem Triage Guidelines | ||
|
|
||
| ## Introduction | ||
|
|
||
| The purpose of this document is to bring the Node.js Ecosystem Triage team to a common understanding of how to triage and disclose security vulnerabilities reported through the Node.js third-party modules program hosted on HackerOne (https://hackerone.com/nodejs-ecosystem). | ||
|
|
||
| This is a living document and is expected to evolve over time. | ||
|
|
||
| ## Why are guidelines needed? | ||
|
|
||
| The Node.js Ecosystem Triage team consists of volunteers with varying level of time, energy and vulnerability management experience. Documenting best practices and common understanding of core concerns when triaging issues will allow the team to provide more consistent service both for security researchers and NPM package maintainers. | ||
|
|
||
| Guidelines will also be a useful resource in onboarding new triage team members. | ||
|
|
||
| ## What counts as a vulnerability? | ||
|
|
||
| HackerOne gives the following definition of a vulnerability: | ||
|
|
||
| ``` | ||
| A software bug that would allow an attacker to perform an action in violation of an expressed security policy. A bug that enables escalated access or privilege is a vulnerability. Design flaws and failures to adhere to security best practices may qualify as vulnerabilities. (...) | ||
| ``` | ||
|
|
||
| Any bug that is directly exploitable by attackers is a vulnerability. | ||
|
|
||
| Special case to consider are defects in libraries: if a documented or obvious way to use a library leads to an exploitable vulnerability in the correct and safe calling code, then those defects are also vulnerabilities. Some APIs are unsafe to use and are not vulnerabilities if they are clearly marked this way and if safe alternatives exist. An excellent example of this is dangerouslySetInnerHTML in React. | ||
lirantal marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment.
The Many libraries are There was a problem hiding this comment. @ronperris could you give an example where there is no safe alternative ? I think that the key here is With that being said I don't think we have to go to the extreme of naming methods There was a problem hiding this comment. @yonjah Here one of thousands of example APIs that are script sinks that don't have warnings, safe defaults or documented safe alternatives. http://snapsvg.io/docs/#Element.append Is this a vulnerability that you expect us to triage and force your prescribed solution on? There was a problem hiding this comment. Sorry @ronperris I'm not familiar with There was a problem hiding this comment. This is the line in the new policy I have an issue with.
This API has multiple unsanitized and unescaped script sinks, but it isn't a vulnerability and doesn't need remediation. There was a problem hiding this comment. I'd rather clarify what may constitute a safe alternative rather than remove this line, because I think this cases are the most interesting to have guidelines for. To use the Bootbox example, I think its
In my opinion the answer is yes, because it is clearly spelled out in the documentation, including explicit mention of XSS risk.
In my opinion the answer is again yes, because the caller can escape the data before passing it to Bootbox I already had a chat about this with @ronperris but would love some more feedback from @lirantal and @yonjah on this. I think there is value in keeping this and I would like for us to flesh it out in a way that is reasonably unambiguous and helpful in day-to-day triage activities. There was a problem hiding this comment. About the "save alternative" - my point being is what if there is no safe alternative? Which is the case with There was a problem hiding this comment. @MarcinHoppe as I mentioned earlier I still have hope for a fix with code changes so the actual API will default for the more secure implementation. But I understand completely that all WG members has more experience than I do on this specific matter so I rather agree to what you see right. One thing I would be happy is if you can clarify how you see a report should be made in this instance. I mean I can see the value in having the WG (and in bootbox case even though there was a github issue the documents were only properly updates after the triage ended) but since the WG team is busy as is, maybe it's better to try and handle this kind of issues initially without the WG involvement ? There was a problem hiding this comment. @yonjah I'd like to separate covering the specific Bootbox submission from general guidelines around triage (not submission) as much as possible. I think keeping the discussion on Slack or the original H1 issues would be better and would make it more clear what this PR is about. There was a problem hiding this comment. @lirantal How about phrasing it in terms of intended usage or library (function, method) contract? For example: if library documentation clearly states that the caller is responsible for escaping HTML content rendered by the library in question, it would not qualify as a vulnerability. Would such verbiage make it clearer? The safe/unsafe alternatives would be left as is to cover cases such as |
||
|
|
||
| ## What is the root cause of the vulnerability? | ||
|
|
||
| There are cases where the submitter notices a vulnerability in a parent package but the root cause of the vulnerability can be traced to one of the downstream dependencies. An example of this was an XSS vulnerability in the serve package that could be traced to lack of proper HTML escaping in the downstream serve-handler package. In cases such as this one, it is important to work with submitter and package maintainers to determine where a vulnerability in question is best remediated. | ||
|
|
||
| ## Does package maintainer have to acknowledge the vulnerability? | ||
|
|
||
| If the triage team can contact the maintainer, then getting them to acknowledge the vulnerability before proceeding is strongly encouraged. If it was not possible to make contact, the responsibility for making a decision is on the triage team. | ||
|
|
||
| ## Which vulnerabilities need to be disclosed? | ||
|
|
||
| Vulnerabilities that require users of a package to take an action, most often upgrade of the package, need to be publicly disclosed. | ||
|
|
||
| ## What about resolution verification? | ||
|
|
||
| Sometimes vulnerability resolutions are partial and do not fully resolve the underlying problem. It is encouraged to facilitate collaboration between the submitter and package maintainer to verify if the resolution is full and does not lead to further security problems. | ||
|
|
||
| # References | ||
|
|
||
| HackerOne Disclosure Guidelines | ||
| https://www.hackerone.com/disclosure-guidelines | ||
|
|
||
| CVE Counting Rules | ||
| https://drive.google.com/file/d/1edCzKfsds79S6z411EJ5qQa-c6z2Bc4A/view | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know this is worth saying, all our docs evolve over time!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was copied from its original Google Doc format, I will remove this line.