From 3077d23c7b91381b4a499cc6d0406999613c0b8a Mon Sep 17 00:00:00 2001 From: Randall Date: Fri, 18 Nov 2022 02:35:06 +0000 Subject: [PATCH] Fix style on Markdown files Signed-off-by: Randall --- .gitignore | 18 + README.md | 13 +- package-lock.json | 547 ++++++++++++++++++ package.json | 22 + ....0 Identify Core Services and Processes.md | 38 +- plan/3.0 Execution.md | 243 ++++++-- plan/README.md | 12 +- plan/proposal_summary.md | 57 +- 8 files changed, 858 insertions(+), 92 deletions(-) create mode 100644 .gitignore create mode 100644 package-lock.json create mode 100644 package.json diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a05a7c9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,18 @@ +# Logs +logs +*.log +npm-debug.log* +yarn-debug.log* +yarn-error.log* +lerna-debug.log* +.pnpm-debug.log* + +# Diagnostic reports (https://nodejs.org/api/report.html) +report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json + +# Dependency directories +node_modules/ +jspm_packages/ + +# Optional npm cache directory +.npm diff --git a/README.md b/README.md index 477ccee..339f553 100644 --- a/README.md +++ b/README.md @@ -23,12 +23,13 @@ This SIRT's motivation is to make available the incident response resources to a To develop a cohort of trustworthy, vendor-neutral, vetted, well-orchestrated and experienced group of security professionals **_EXPRESSLY OUT OF SCOPE:_** -⊲ Anything involving vulnerabilities in closed-source/proprietary software -⊲ Security improvements to open-source software that are not tactically essential to the -patching of newly-reported, high- and critical-impact vulnerabilities in open-source -software -⊲ Helping projects or individual enterprises with remediating their security exposures -from another open-source project’s security vulnerabilities + +- Anything involving vulnerabilities in closed-source/proprietary software +- Security improvements to open-source software that are not tactically essential to the + patching of newly-reported, high- and critical-impact vulnerabilities in open-source + software +- Helping projects or individual enterprises with remediating their security exposures + from another open-source project’s security vulnerabilities ## Prior Work diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..2321ddc --- /dev/null +++ b/package-lock.json @@ -0,0 +1,547 @@ +{ + "name": "wg-vulnerability-disclosures", + "version": "1.0.0", + "lockfileVersion": 2, + "requires": true, + "packages": { + "": { + "name": "wg-vulnerability-disclosures", + "version": "1.0.0", + "license": "Apache-2.0", + "devDependencies": { + "markdownlint-cli": "^0.32.2", + "prettier": "^2.7.1" + } + }, + "node_modules/argparse": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", + "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", + "dev": true + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "dev": true + }, + "node_modules/brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/commander": { + "version": "9.4.1", + "resolved": "https://registry.npmjs.org/commander/-/commander-9.4.1.tgz", + "integrity": "sha512-5EEkTNyHNGFPD2H+c/dXXfQZYa/scCKasxWcXJaWnNJ99pnQN9Vnmqow+p+PlFPE63Q6mThaZws1T+HxfpgtPw==", + "dev": true, + "engines": { + "node": "^12.20.0 || >=14" + } + }, + "node_modules/deep-extend": { + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz", + "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==", + "dev": true, + "engines": { + "node": ">=4.0.0" + } + }, + "node_modules/entities": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/entities/-/entities-3.0.1.tgz", + "integrity": "sha512-WiyBqoomrwMdFG1e0kqvASYfnlb0lp8M5o5Fw2OFq1hNZxxcNk8Ik0Xm7LxzBhuidnZB/UtBqVCgUz3kBOP51Q==", + "dev": true, + "engines": { + "node": ">=0.12" + }, + "funding": { + "url": "https://github.com/fb55/entities?sponsor=1" + } + }, + "node_modules/fs.realpath": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", + "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==", + "dev": true + }, + "node_modules/get-stdin": { + "version": "9.0.0", + "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz", + "integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/glob": { + "version": "8.0.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-8.0.3.tgz", + "integrity": "sha512-ull455NHSHI/Y1FqGaaYFaLGkNMMJbavMrEGFXG/PGrg6y7sutWHUHrz6gy6WEBH6akM1M414dWKCNs+IhKdiQ==", + "dev": true, + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^5.0.1", + "once": "^1.3.0" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/ignore": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.0.tgz", + "integrity": "sha512-CmxgYGiEPCLhfLnpPp1MoRmifwEIOgjcHXxOBjv7mY96c+eWScsOP9c112ZyLdWHi0FxHjI+4uVhKYp/gcdRmQ==", + "dev": true, + "engines": { + "node": ">= 4" + } + }, + "node_modules/inflight": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", + "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", + "dev": true, + "dependencies": { + "once": "^1.3.0", + "wrappy": "1" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "dev": true + }, + "node_modules/ini": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/ini/-/ini-3.0.1.tgz", + "integrity": "sha512-it4HyVAUTKBc6m8e1iXWvXSTdndF7HbdN713+kvLrymxTaU4AUBWrJ4vEooP+V7fexnVD3LKcBshjGGPefSMUQ==", + "dev": true, + "engines": { + "node": "^12.13.0 || ^14.15.0 || >=16.0.0" + } + }, + "node_modules/js-yaml": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz", + "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==", + "dev": true, + "dependencies": { + "argparse": "^2.0.1" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/jsonc-parser": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.1.0.tgz", + "integrity": "sha512-DRf0QjnNeCUds3xTjKlQQ3DpJD51GvDjJfnxUVWg6PZTo2otSm+slzNAxU/35hF8/oJIKoG9slq30JYOsF2azg==", + "dev": true + }, + "node_modules/linkify-it": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-4.0.1.tgz", + "integrity": "sha512-C7bfi1UZmoj8+PQx22XyeXCuBlokoyWQL5pWSP+EI6nzRylyThouddufc2c1NDIcP9k5agmN9fLpA7VNJfIiqw==", + "dev": true, + "dependencies": { + "uc.micro": "^1.0.1" + } + }, + "node_modules/markdown-it": { + "version": "13.0.1", + "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-13.0.1.tgz", + "integrity": "sha512-lTlxriVoy2criHP0JKRhO2VDG9c2ypWCsT237eDiLqi09rmbKoUetyGHq2uOIRoRS//kfoJckS0eUzzkDR+k2Q==", + "dev": true, + "dependencies": { + "argparse": "^2.0.1", + "entities": "~3.0.1", + "linkify-it": "^4.0.1", + "mdurl": "^1.0.1", + "uc.micro": "^1.0.5" + }, + "bin": { + "markdown-it": "bin/markdown-it.js" + } + }, + "node_modules/markdownlint": { + "version": "0.26.2", + "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.26.2.tgz", + "integrity": "sha512-2Am42YX2Ex5SQhRq35HxYWDfz1NLEOZWWN25nqd2h3AHRKsGRE+Qg1gt1++exW792eXTrR4jCNHfShfWk9Nz8w==", + "dev": true, + "dependencies": { + "markdown-it": "13.0.1" + }, + "engines": { + "node": ">=14" + } + }, + "node_modules/markdownlint-cli": { + "version": "0.32.2", + "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.32.2.tgz", + "integrity": "sha512-xmJT1rGueUgT4yGNwk6D0oqQr90UJ7nMyakXtqjgswAkEhYYqjHew9RY8wDbOmh2R270IWjuKSeZzHDEGPAUkQ==", + "dev": true, + "dependencies": { + "commander": "~9.4.0", + "get-stdin": "~9.0.0", + "glob": "~8.0.3", + "ignore": "~5.2.0", + "js-yaml": "^4.1.0", + "jsonc-parser": "~3.1.0", + "markdownlint": "~0.26.2", + "markdownlint-rule-helpers": "~0.17.2", + "minimatch": "~5.1.0", + "run-con": "~1.2.11" + }, + "bin": { + "markdownlint": "markdownlint.js" + }, + "engines": { + "node": ">=14" + } + }, + "node_modules/markdownlint-rule-helpers": { + "version": "0.17.2", + "resolved": "https://registry.npmjs.org/markdownlint-rule-helpers/-/markdownlint-rule-helpers-0.17.2.tgz", + "integrity": "sha512-XaeoW2NYSlWxMCZM2B3H7YTG6nlaLfkEZWMBhr4hSPlq9MuY2sy83+Xr89jXOqZMZYjvi5nBCGoFh7hHoPKZmA==", + "dev": true, + "engines": { + "node": ">=12" + } + }, + "node_modules/mdurl": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-1.0.1.tgz", + "integrity": "sha512-/sKlQJCBYVY9Ers9hqzKou4H6V5UWc/M59TH2dvkt+84itfnq7uFOMLpOiOS4ujvHP4etln18fmIxA5R5fll0g==", + "dev": true + }, + "node_modules/minimatch": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.0.tgz", + "integrity": "sha512-9TPBGGak4nHfGZsPBohm9AWg6NoT7QTCehS3BIJABslyZbzxfV78QM2Y6+i741OPZIafFAaiiEMh5OyIrJPgtg==", + "dev": true, + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/minimist": { + "version": "1.2.7", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz", + "integrity": "sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==", + "dev": true, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "dev": true, + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/prettier": { + "version": "2.7.1", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.7.1.tgz", + "integrity": "sha512-ujppO+MkdPqoVINuDFDRLClm7D78qbDt0/NR+wp5FqEZOoTNAjPHWj17QRhu7geIHJfcNhRk1XVQmF8Bp3ye+g==", + "dev": true, + "bin": { + "prettier": "bin-prettier.js" + }, + "engines": { + "node": ">=10.13.0" + }, + "funding": { + "url": "https://github.com/prettier/prettier?sponsor=1" + } + }, + "node_modules/run-con": { + "version": "1.2.11", + "resolved": "https://registry.npmjs.org/run-con/-/run-con-1.2.11.tgz", + "integrity": "sha512-NEMGsUT+cglWkzEr4IFK21P4Jca45HqiAbIIZIBdX5+UZTB24Mb/21iNGgz9xZa8tL6vbW7CXmq7MFN42+VjNQ==", + "dev": true, + "dependencies": { + "deep-extend": "^0.6.0", + "ini": "~3.0.0", + "minimist": "^1.2.6", + "strip-json-comments": "~3.1.1" + }, + "bin": { + "run-con": "cli.js" + } + }, + "node_modules/strip-json-comments": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz", + "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==", + "dev": true, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/uc.micro": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-1.0.6.tgz", + "integrity": "sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==", + "dev": true + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "dev": true + } + }, + "dependencies": { + "argparse": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", + "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", + "dev": true + }, + "balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "dev": true + }, + "brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dev": true, + "requires": { + "balanced-match": "^1.0.0" + } + }, + "commander": { + "version": "9.4.1", + "resolved": "https://registry.npmjs.org/commander/-/commander-9.4.1.tgz", + "integrity": "sha512-5EEkTNyHNGFPD2H+c/dXXfQZYa/scCKasxWcXJaWnNJ99pnQN9Vnmqow+p+PlFPE63Q6mThaZws1T+HxfpgtPw==", + "dev": true + }, + "deep-extend": { + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz", + "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==", + "dev": true + }, + "entities": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/entities/-/entities-3.0.1.tgz", + "integrity": "sha512-WiyBqoomrwMdFG1e0kqvASYfnlb0lp8M5o5Fw2OFq1hNZxxcNk8Ik0Xm7LxzBhuidnZB/UtBqVCgUz3kBOP51Q==", + "dev": true + }, + "fs.realpath": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", + "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==", + "dev": true + }, + "get-stdin": { + "version": "9.0.0", + "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz", + "integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==", + "dev": true + }, + "glob": { + "version": "8.0.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-8.0.3.tgz", + "integrity": "sha512-ull455NHSHI/Y1FqGaaYFaLGkNMMJbavMrEGFXG/PGrg6y7sutWHUHrz6gy6WEBH6akM1M414dWKCNs+IhKdiQ==", + "dev": true, + "requires": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^5.0.1", + "once": "^1.3.0" + } + }, + "ignore": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.0.tgz", + "integrity": "sha512-CmxgYGiEPCLhfLnpPp1MoRmifwEIOgjcHXxOBjv7mY96c+eWScsOP9c112ZyLdWHi0FxHjI+4uVhKYp/gcdRmQ==", + "dev": true + }, + "inflight": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", + "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", + "dev": true, + "requires": { + "once": "^1.3.0", + "wrappy": "1" + } + }, + "inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "dev": true + }, + "ini": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/ini/-/ini-3.0.1.tgz", + "integrity": "sha512-it4HyVAUTKBc6m8e1iXWvXSTdndF7HbdN713+kvLrymxTaU4AUBWrJ4vEooP+V7fexnVD3LKcBshjGGPefSMUQ==", + "dev": true + }, + "js-yaml": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz", + "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==", + "dev": true, + "requires": { + "argparse": "^2.0.1" + } + }, + "jsonc-parser": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.1.0.tgz", + "integrity": "sha512-DRf0QjnNeCUds3xTjKlQQ3DpJD51GvDjJfnxUVWg6PZTo2otSm+slzNAxU/35hF8/oJIKoG9slq30JYOsF2azg==", + "dev": true + }, + "linkify-it": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-4.0.1.tgz", + "integrity": "sha512-C7bfi1UZmoj8+PQx22XyeXCuBlokoyWQL5pWSP+EI6nzRylyThouddufc2c1NDIcP9k5agmN9fLpA7VNJfIiqw==", + "dev": true, + "requires": { + "uc.micro": "^1.0.1" + } + }, + "markdown-it": { + "version": "13.0.1", + "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-13.0.1.tgz", + "integrity": "sha512-lTlxriVoy2criHP0JKRhO2VDG9c2ypWCsT237eDiLqi09rmbKoUetyGHq2uOIRoRS//kfoJckS0eUzzkDR+k2Q==", + "dev": true, + "requires": { + "argparse": "^2.0.1", + "entities": "~3.0.1", + "linkify-it": "^4.0.1", + "mdurl": "^1.0.1", + "uc.micro": "^1.0.5" + } + }, + "markdownlint": { + "version": "0.26.2", + "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.26.2.tgz", + "integrity": "sha512-2Am42YX2Ex5SQhRq35HxYWDfz1NLEOZWWN25nqd2h3AHRKsGRE+Qg1gt1++exW792eXTrR4jCNHfShfWk9Nz8w==", + "dev": true, + "requires": { + "markdown-it": "13.0.1" + } + }, + "markdownlint-cli": { + "version": "0.32.2", + "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.32.2.tgz", + "integrity": "sha512-xmJT1rGueUgT4yGNwk6D0oqQr90UJ7nMyakXtqjgswAkEhYYqjHew9RY8wDbOmh2R270IWjuKSeZzHDEGPAUkQ==", + "dev": true, + "requires": { + "commander": "~9.4.0", + "get-stdin": "~9.0.0", + "glob": "~8.0.3", + "ignore": "~5.2.0", + "js-yaml": "^4.1.0", + "jsonc-parser": "~3.1.0", + "markdownlint": "~0.26.2", + "markdownlint-rule-helpers": "~0.17.2", + "minimatch": "~5.1.0", + "run-con": "~1.2.11" + } + }, + "markdownlint-rule-helpers": { + "version": "0.17.2", + "resolved": "https://registry.npmjs.org/markdownlint-rule-helpers/-/markdownlint-rule-helpers-0.17.2.tgz", + "integrity": "sha512-XaeoW2NYSlWxMCZM2B3H7YTG6nlaLfkEZWMBhr4hSPlq9MuY2sy83+Xr89jXOqZMZYjvi5nBCGoFh7hHoPKZmA==", + "dev": true + }, + "mdurl": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-1.0.1.tgz", + "integrity": "sha512-/sKlQJCBYVY9Ers9hqzKou4H6V5UWc/M59TH2dvkt+84itfnq7uFOMLpOiOS4ujvHP4etln18fmIxA5R5fll0g==", + "dev": true + }, + "minimatch": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.0.tgz", + "integrity": "sha512-9TPBGGak4nHfGZsPBohm9AWg6NoT7QTCehS3BIJABslyZbzxfV78QM2Y6+i741OPZIafFAaiiEMh5OyIrJPgtg==", + "dev": true, + "requires": { + "brace-expansion": "^2.0.1" + } + }, + "minimist": { + "version": "1.2.7", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz", + "integrity": "sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==", + "dev": true + }, + "once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "dev": true, + "requires": { + "wrappy": "1" + } + }, + "prettier": { + "version": "2.7.1", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.7.1.tgz", + "integrity": "sha512-ujppO+MkdPqoVINuDFDRLClm7D78qbDt0/NR+wp5FqEZOoTNAjPHWj17QRhu7geIHJfcNhRk1XVQmF8Bp3ye+g==", + "dev": true + }, + "run-con": { + "version": "1.2.11", + "resolved": "https://registry.npmjs.org/run-con/-/run-con-1.2.11.tgz", + "integrity": "sha512-NEMGsUT+cglWkzEr4IFK21P4Jca45HqiAbIIZIBdX5+UZTB24Mb/21iNGgz9xZa8tL6vbW7CXmq7MFN42+VjNQ==", + "dev": true, + "requires": { + "deep-extend": "^0.6.0", + "ini": "~3.0.0", + "minimist": "^1.2.6", + "strip-json-comments": "~3.1.1" + } + }, + "strip-json-comments": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz", + "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==", + "dev": true + }, + "uc.micro": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-1.0.6.tgz", + "integrity": "sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==", + "dev": true + }, + "wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "dev": true + } + } +} diff --git a/package.json b/package.json new file mode 100644 index 0000000..08f7145 --- /dev/null +++ b/package.json @@ -0,0 +1,22 @@ +{ + "name": "wg-vulnerability-disclosures", + "version": "1.0.0", + "description": "OpenSSF Repository for the Vulnerability Disclosures WG", + "scripts": { + "format": "npx prettier --write . && npx markdownlint --fix '**/*.md' --ignore node_modules --config .github/linters/.markdown-lint.yml" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/ossf/wg-vulnerability-disclosures.git" + }, + "author": "", + "license": "Apache-2.0", + "bugs": { + "url": "https://github.com/ossf/wg-vulnerability-disclosures/issues" + }, + "homepage": "https://github.com/ossf/wg-vulnerability-disclosures#readme", + "devDependencies": { + "markdownlint-cli": "^0.32.2", + "prettier": "^2.7.1" + } +} diff --git a/plan/2.0 Identify Core Services and Processes.md b/plan/2.0 Identify Core Services and Processes.md index 52975e7..f6c7720 100644 --- a/plan/2.0 Identify Core Services and Processes.md +++ b/plan/2.0 Identify Core Services and Processes.md @@ -1,3 +1,5 @@ + + # 2.0 Identify core services and processes Work on defining the SIRT, what it does, and how it operates @@ -29,7 +31,7 @@ The SIRT will define the minimum set of core services it will initially offer an | Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | | :-------: | :------------------: | :------------------------: | :-------------------: | :---: | -| M1[^1] | 4-5 | 5 | 20-25 | ➡️ Y1 | +| M1[^1] | 4-5 | 5 | 20-25 | ➡️ Y1 | > Estimated Total Combined Volunteer Hours: 20-25 @@ -42,11 +44,13 @@ Dependent upon 2.1 and the survey variability. ### 2.2.2 Key steps and milestones - **M1**: Estimate operational case distribution for at least first year (~1 month calendar time) + - [ ] Define the sources of trend data (CNCF, GitHub, MITRE, etc.) - [ ] Evaluate 5 year trend of incident types - [ ] Group/pattern the incident types that occur leveraging existing body of work - **M2**: Develop internal SIRT procedures for services ~6 weeks + - [ ] For each service, define the intake criteria, engagement (whether to do so & prioritization), and closure criteria - [ ] Includes initial assessment (triage) - [ ] Includes prioritization and risk assessment @@ -55,11 +59,13 @@ Dependent upon 2.1 and the survey variability. - [ ] Publish Playbooks for each service - **M3**: External facing guidance for services ~3 weeks + - [ ] For each service, define a tl;dr of what it is - [ ] For each service, define a 'why' - [ ] For each service, define the expectations a user of the service may reasonably experience with timeline estimates/best effort milestones - **M4**: Testing period (tabletop some services/procedures/guidance through past incidents) ~3 weeks + - [ ] Identify two different open source incidents to run through against a service or series of services - [ ] Execute the tabletop against the intake, procedures, and communications - [ ] Conduct a blameless post-mortem on the execution of the tabletop against the intake, procedures, and communications @@ -67,29 +73,35 @@ Dependent upon 2.1 and the survey variability. - [ ] Publish post-mortem, corresponding improved areas, and lessons learned in the development of this - **M5** Define Service level expectations (not strict SLOs) + - [ ] Includes intake, initial assessment (triage), engagement criteria evaluation (2.4), service selection, assignment, performance of services, tracking/management, closure, reporting, and review - [ ] Determine intake routes, availability, and service level expectations - [ ] Determine 24/7 coverage? In which time zones? - **M6**: Decide SIRT event documentation processes and outputs (e.g., advisory, blog post, mailing list, submission to catalogs like GSD and CVE) + - [ ] Research documentation/publication options (~2 weeks calendar time) - [ ] Test (~2 weeks calendar time) - [ ] Integrate with project/maintainer security documentation and publication processes - **M7**: Determine minimal skills and foundational training (supports 3.2 & 3.3) + - [ ] Inclusive engagement training, etc. - [ ] Skills and technical domain expectations for execution of each service - **M8**: Research existing OSS security mechanisms and notification lists (~1 month calendar time) + - [ ] Identify existing OSS Security processes/mechanism for potential - [ ] Identify existing and missing vulnerability notification lists for redestribution into SIREN - [ ] Examples: oss-security, distros, OSS foundations, OSS hosting/infrastructure providers (yes like GitHub) - **M9**: Determine legal issues, seek advice (from LF/OpenSSF) + - [ ] Define a list of potential legal concern areas - [ ] Contact OpenSSF to ensure the SIRT, maintainers, etc. is covered legally, insurance, codes of conduct, need-to-know, hypocratic oath, etc. - **M10**: Develop volunteer requirements + - [ ] Ethical, code of conduct, other agreements - [ ] Define volunteering processes & rules, the upholding of commitments upheld by incident responders (including preventing premature disclosure “How-to” guides for those maintainers/developers wishing to engage with the SIRT), service level agreements (SLAs), and the definition a process fore engagement/interactions with Distros, & oss-security & existing security teams. @@ -100,17 +112,17 @@ Dependent upon 2.1 and the survey variability. | Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | | :-------: | :------------------: | :------------------------: | :-------------------: | :---: | -| M1 | 4-5 | 5 | 20-25 | ➡️ Y1 | -| M2[^2] | 4 | 10 | 40 | ➡️ Y1 | +| M1 | 4-5 | 5 | 20-25 | ➡️ Y1 | +| M2[^2] | 4 | 10 | 40 | ➡️ Y1 | | M3 | 1-3 | 3-5 | 3-9 | ➡️ Y1 | | M4 | 4 | 6 | 24 | ➡️ Y1 | | M5 | 1-2 | 2 | 2-4 | ➡️ Y1 | -| M6[^3] | 2 | 10 | 20 | ➡️ Y1 | +| M6[^3] | 2 | 10 | 20 | ➡️ Y1 | | M7 | 2 | 4 | 8 | ➡️ Y1 | -| M8[^4] | 4 | 10 | 40 | ➡️ Y1 | -| M9[^5] | unk | unk | 40 | ➡️ Y1 | -| M10 | 4-5 | 5 | 20-25 | ➡️ Y1 | -| M11 | 4-5 | 10 | 40-50 | ➡️ Y2 | +| M8[^4] | 4 | 10 | 40 | ➡️ Y1 | +| M9[^5] | unk | unk | 40 | ➡️ Y1 | +| M10 | 4-5 | 5 | 20-25 | ➡️ Y1 | +| M11 | 4-5 | 10 | 40-50 | ➡️ Y2 | > Estimated Total Combined Volunteer Hours: ~260-285 @@ -125,15 +137,18 @@ Depends on/relates to: 2.1, 2.2 ### 2.3.2 Key steps and milestones - **M1**: Determine staffing structure + - [ ] Some paid full or part-time staff - [ ] Significant proportion of volunteer staff - [ ] Flexibility to spin volunteer staff up or down depending on case distribution - [ ] Legal and contractual volunteer issues and agreements - **M2**: Document volunteer vetting process + - [ ] Consolidate the skills needs and the volunteer requirements - **M3**: Estimate number of volunteer staff with skill and experience sets + - [ ] Consider the historical event frequency against the services with time commitment estimates - **M4**: Re-evaluate staff requirements for 2-3 year’s worth of goals after year 1 @@ -145,14 +160,13 @@ Depends on/relates to: 2.1, 2.2 | Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | | :-------: | :------------------: | :------------------------: | :-------------------: | :---: | -| M1 | 2 | 4 | 8 | ➡️ Y1 | -| M2 | 2 | 2 | 4 | ➡️ Y1 | +| M1 | 2 | 4 | 8 | ➡️ Y1 | +| M2 | 2 | 2 | 4 | ➡️ Y1 | | M3 | 1-3 | 3-5 | 3-9 | ➡️ Y1 | | M4 | 4 | 10 | 40 | ➡️ Y2 | > Estimated Total Combined Volunteer Hours: 55-69 --------- -Footnotes: + [^1]: This estimation is assume this work to be done over the course of a month and is entirely dependent on the quality and content of the survey, it is therefore subject to change. [^2]: The majority of this work and time will be the development of the detailed steps for each service. [^3]: This will require finalization by the SIG and require 2 dedicated meetings to finalize. diff --git a/plan/3.0 Execution.md b/plan/3.0 Execution.md index 27c271c..dfcf8f8 100644 --- a/plan/3.0 Execution.md +++ b/plan/3.0 Execution.md @@ -1,5 +1,9 @@ + + # 3.0 Execution + focused on things assembling the team and tools + - Section Lead - Francis Perron (@u269c) - Section Team - Art, CRob - Section Meeting Time/Details - Every other Friday 11-11:30am EST :clock11: @@ -9,7 +13,7 @@ focused on things assembling the team and tools ## 3.1 Hire Program Manager for OSS-SIRT -Hire Program Manager(PgM) to oversee the execution of the OSS-SIRT plan, and then facilitate and coordinate the OSS-SIRT as it enters operations. This role will need to be one of the first steps undertaken as the OSS-SIRT plan is being implemented to ensure its smooth delivery. The OSS-SIRT PgM will lead post mortem exercises on incidents to improve efficienmcy and quality of OSS-SIRT outputs, will collect and report out on key metrics of the OSS-SIRT program, will coordinate onboarding and training of new OSS-SIRT volunteers, amongst other duties. +Hire Program Manager(PgM) to oversee the execution of the OSS-SIRT plan, and then facilitate and coordinate the OSS-SIRT as it enters operations. This role will need to be one of the first steps undertaken as the OSS-SIRT plan is being implemented to ensure its smooth delivery. The OSS-SIRT PgM will lead post mortem exercises on incidents to improve efficienmcy and quality of OSS-SIRT outputs, will collect and report out on key metrics of the OSS-SIRT program, will coordinate onboarding and training of new OSS-SIRT volunteers, amongst other duties. - **M1**: Create job description + roles & responsibilities for OSS-SIRT PgM - **M2**: Hire PgM @@ -20,9 +24,10 @@ Hire Program Manager(PgM) to oversee the execution of the OSS-SIRT plan, and the | Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | | :-------: | :------------------: | :------------------------: | :-------------------: | :---: | -| M1 | 2 | 2 | 4 | ➡️ Y1 | -| M2 | 4-5 | 8 | 32-40 | ➡️ Y1 | -| M3 | 4-5 | 8 | 32-40 | ➡️ Y1 | +| M1 | 2 | 2 | 4 | ➡️ Y1 | +| M2 | 4-5 | 8 | 32-40 | ➡️ Y1 | +| M3 | 4-5 | 8 | 32-40 | ➡️ Y1 | + > Estimated Total Combined Volunteer Hours: 72-84 1 FTE $300k per annum ## 3.2 - Tech Stack section, deployment and maintenance @@ -30,7 +35,7 @@ Hire Program Manager(PgM) to oversee the execution of the OSS-SIRT plan, and the The selection of the IT and communications infrastructure is necessary to deliver our services, and make a plan for its deployment, operational availability, and security assurance is included here. That work is dependent on :x: [2.1](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#21---identify-a-core-set-of-services) as it will determine the scope of this work. We can proceed a bit, but will have to wait at some point. - **M1**: _Tech stack selection_ - - [ ] Discovery and documentation: https://github.com/ossf/SIRT/issues/9 + - [ ] Discovery and documentation: - [ ] Election of tech --# issue# - **M2**: _Deployment_ - [ ] For each tool needed (early estimate of 4-5 needed for year one), 20hrs/tool to configure, deploy, integrate, and test @@ -41,12 +46,12 @@ The selection of the IT and communications infrastructure is necessary to delive | Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | | :-------: | :------------------: | :------------------------: | :-------------------: | :---: | -| M1[^1] | 4-5 | 10 | 40-50 | ➡️ Y1 | -| M2[^2] | 4-5 tools | 20 | 80-100 | ➡️ Y1 | -| M3 | 4-5 | 4-5 tools x 2hrs each | 32-50 | ➡️ Y1 | -> - Estimated Total Combined Volunteer Hours: 152-200 -> -No estimate available at this time for tooling costs, as testing/review has not been conducted. Wherever possible free and open source tooling will be selected for OSS-SIRT use, but some functions may require commercial products to deliver. +| M1[^1] | 4-5 | 10 | 40-50 | ➡️ Y1 | +| M2[^2] | 4-5 tools | 20 | 80-100 | ➡️ Y1 | +| M3 | 4-5 | 4-5 tools x 2hrs each | 32-50 | ➡️ Y1 | +> - Estimated Total Combined Volunteer Hours: 152-200 +> -No estimate available at this time for tooling costs, as testing/review has not been conducted. Wherever possible free and open source tooling will be selected for OSS-SIRT use, but some functions may require commercial products to deliver. ## 3.3 Recruitment @@ -54,7 +59,7 @@ Depending on the operational model defineb by :x: [2.3](https://github.com/ossf/ - **M1**: Create OSS-SIRT job description - [ ] Survey existing CSIRT/PSIRT job descriptions - - [ ] Per 2.2M10 and 2.3 create draft of role job requirements + - [ ] Per 2.2M10 and 2.3 create draft of role job requirements - **M2**: Review OSS-SIRT job description - [ ] OSS-SIRT SIG members review and edit/update/approve role job description - **M3** : Post role and talk to Foundation to start vetting process @@ -71,12 +76,13 @@ Depending on the operational model defineb by :x: [2.3](https://github.com/ossf/ | Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | | :-------: | :------------------: | :------------------------: | :-------------------: | :---: | -| M1 | 2-4 | 2 | 8-10 | ➡️ Y1 | -| M2 | 4-5 | 1 | 4-5 | ➡️ Y1 | -| M3 | 2 | 4 | 8 | ➡️ Y1 | -| M4 | 4-5 | 10 | 40-50 | ➡️ Y1 | -| M5 | 4-5 | 2 | 8-10 | ➡️ Y1 | -| M6 | 4-5 | 5 | 56-68 | ➡️ Y1 | +| M1 | 2-4 | 2 | 8-10 | ➡️ Y1 | +| M2 | 4-5 | 1 | 4-5 | ➡️ Y1 | +| M3 | 2 | 4 | 8 | ➡️ Y1 | +| M4 | 4-5 | 10 | 40-50 | ➡️ Y1 | +| M5 | 4-5 | 2 | 8-10 | ➡️ Y1 | +| M6 | 4-5 | 5 | 56-68 | ➡️ Y1 | + > Estimated Total Combined Volunteer Hours: 68-83 Y1, 56-68 Y2+ ## 3.4 Documentation and Training for the SIRT @@ -88,23 +94,23 @@ In order to perform the duties of the SIRT properly, we will need both playbooks - [ ] Review materials - [ ] Skeleton-draft available to join the SIRT team - [ ] Create means to collect areas of improvement for Onboarding documentation - - **M2**: Operational playbooks v1.0 - - [ ] Onboarding documentation - - [ ] Operations playbooks - - **M3**: Develop outreach and recruiting plan - - [ ] Per 3.2M6 create recruitment plan - - [ ] Informed by # of incidents/engagements in Year 1, develop OSS-SIRT workload estimate for growth/expansion - - [ ] Share recruitment plan with TAC and GB - - [ ] Adjust recruitement plan as needed - - [ ] +- **M2**: Operational playbooks v1.0 + - [ ] Onboarding documentation + - [ ] Operations playbooks +- **M3**: Develop outreach and recruiting plan + - [ ] Per 3.2M6 create recruitment plan + - [ ] Informed by # of incidents/engagements in Year 1, develop OSS-SIRT workload estimate for growth/expansion + - [ ] Share recruitment plan with TAC and GB + - [ ] Adjust recruitement plan as needed + - [ ] + ### Time & Resource Estimate | Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | | :-------: | :------------------: | :------------------------: | :-------------------: | :---: | -| M1 | 4-5 | 20 | 80-100 | ➡️ Y1 | -| M2 | 4-5 | 25 | 100-125 | ➡️ Y1 | -| M3 | 4-5 | 4 | 16-20 | ➡️ Y1 | - +| M1 | 4-5 | 20 | 80-100 | ➡️ Y1 | +| M2 | 4-5 | 25 | 100-125 | ➡️ Y1 | +| M3 | 4-5 | 4 | 16-20 | ➡️ Y1 | > Estimated Total Combined Volunteer Hours: 196-245 @@ -121,15 +127,13 @@ In order to better understand our successes and impact in YEAR 1 (Y1), we need m | Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | | :-------: | :------------------: | :------------------------: | :-------------------: | :---: | -| M1[^3] | 4-5 + 1 PgM | 5 | 25-30 | ➡️ Y1 | -| M2 | 1 PgM | 5-10 | 5-10 PgM | ➡️ Y1 | -| M3 | 2 + 1 PgM | 8 | 24 | ➡️ Y1 | -| M4 | 1 PgM | 20 | 20 PgM | ➡️ Y1 | - +| M1[^3] | 4-5 + 1 PgM | 5 | 25-30 | ➡️ Y1 | +| M2 | 1 PgM | 5-10 | 5-10 PgM | ➡️ Y1 | +| M3 | 2 + 1 PgM | 8 | 24 | ➡️ Y1 | +| M4 | 1 PgM | 20 | 20 PgM | ➡️ Y1 | > Estimated Total Combined Volunteer Hours:74-84 - ## 3.6 Establish a post mortem culture Documenting lessons learned from handled incidents in order to mature the Coordinated Vulnerability Disclosure processes (CVD) with feedback provided to other working groups such as the Best Practices WG, Vuln Disc WG and other existing organizations operating in the incident response world. @@ -140,20 +144,171 @@ Documenting lessons learned from handled incidents in order to mature the Coordi - **M2**: Implement post mortem improvement findings back into existing processes - **M2a**: Track improvements to ensure timely completion - **M3**: Train OSS-SIRT PgM (3.6 below) to facilitate post mortem process and stakeholder feedback collection - + ### Time & Resource Estimate | Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | | :-------: | :------------------: | :------------------------: | :-------------------: | :---: | -| M1 | 4-5 | 2 | 8-10 | ➡️ Y1 | -| M2 | 2 | 2 | 4 | ➡️ Y1 | -| M3 | 2 | 2 | 4 | ➡️ Y1 | -> Estimated Total Combined Volunteer Hours: 16-20 - +| M1 | 4-5 | 2 | 8-10 | ➡️ Y1 | +| M2 | 2 | 2 | 4 | ➡️ Y1 | +| M3 | 2 | 2 | 4 | ➡️ Y1 | +> Estimated Total Combined Volunteer Hours: 16-20 --- [^1]: This estimation is assume this work to be done over the course of a month and is entirely dependent on the quality and content of the survey, it is therefore subject to change. -[^2]: This estimation is assumes tooling is required to fulfill given services. Average # hours per tool given as pool estimate. -[^3]: These hours combine volunteer and Program Manager and ultimately will regularly be part of the PgM duties. +[^2]: This estimation is assumes tooling is required to fulfill given services. Average # hours per tool given as pool estimate. +[^3]: + These hours combine volunteer and Program Manager and ultimately will regularly be part of the PgM duties. + focused on things assembling the team and tools + +- Section Lead - Francis Perron (@u269c) +- Section Team - Art, CRob +- Section Meeting Time/Details - Every other Friday 11-11:30am EST :clock11: +- Section Meeting [Zoom](https://zoom.us/j/91969722711) + +**Tracking**: TBD - _need placeholder to show progress_ + +## 3.1 - Tech Stack section, deployment and maintenance + +The selection of the IT and communications infrastructure is necessary to deliver our services, and make a plan for its deployment, operational availability, and security assurance is included here. That work is dependent on :x: [2.1](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#21---identify-a-core-set-of-services) as it will determine the scope of this work. We can proceed a bit, but will have to wait at some point. + +- **M1**: _Tech stack selection_ + - [ ] Discovery and documentation: + - [ ] Election of tech --# issue# +- **M2**: _Deployment_ + - [ ] For each tool needed (early estimate of 4-5 needed for year one), 20hrs/tool to configure, deploy, integrate, and test +- **M3**: _Operational needs fullfilled_ + - [ ] Annual review of tooling for fit-for-purpose/function + +### Time & Resource Estimate + +| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | +| :-------: | :------------------: | :------------------------: | :-------------------: | :---: | +| M1[^1] | 4-5 | 10 | 40-50 | ➡️ Y1 | +| M2[^2] | 4-5 tools | 20 | 80-100 | ➡️ Y1 | +| M3 | 4-5 | 4-5 tools x 2hrs each | 32-50 | ➡️ Y1 | + +> - Estimated Total Combined Volunteer Hours: 152-200 +> -No estimate available at this time for tooling costs, as testing/review has not been conducted. Wherever possible free and open source tooling will be selected for OSS-SIRT use, but some functions may require commercial products to deliver. + +## 3.2 Recruitment + +Depending on the operational model defineb by :x: [2.3](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#23-define-expectations-including-vetting-process-and-ethics-agreement-and-determine-the-necessary-skills-and-experience-that-will-be-required-of-each-incident-responder-as-part-of-the-sirts-processes-onboarding-and-shadowing-programs), we will have to hire folks, or recruit volunteers. The actual content of the job requirement will then be defined by :x: [2.1](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#22-define-conditions-and-triage-criteria-for-the-services-offered-by-the-sirt-this-list-will-be-maintained-and-actively-updated-in-a-centralized-public-location-on-the-internet) and :x: [2.4](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#24-design-an-engagement-model-for-incident-responders-which-addresses-things-such-as), so we have lots of blockers here. + +- **M1**: Create OSS-SIRT job description + - [ ] Survey existing CSIRT/PSIRT job descriptions + - [ ] Per 2.2M10 and 2.3 create draft of role job requirements +- **M2**: Review OSS-SIRT job description + - [ ] OSS-SIRT SIG members review and edit/update/approve Roile job description +- **M3** : Post role and talk to Foundation to start vetting process + - [ ] Consult with TAC and GB to encourage members to supply core of qualifed volunteers + - [ ] Conduct interviews with candidates +- **M4**: Select initial volunteer cohort + - [ ] Per 2.3, select candidates to become initial volunteer core for Year One operations of OSS-SIRT +- **M5**: Train/on-board initial volunteer cohort + - [ ] Per 2.2M6 and 3.3 train initial cohort of volunteers +- **M6**: Annual recruitment/rotation/reeducation of volunteer cohort + - [ ] Follow 3.2 M3-M5 periodically to refresh pool of viable SIRTers + +### Time & Resource Estimate + +| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | +| :-------: | :------------------: | :------------------------: | :-------------------: | :---: | +| M1 | 2-4 | 2 | 8-10 | ➡️ Y1 | +| M2 | 4-5 | 1 | 4-5 | ➡️ Y1 | +| M3 | 2 | 4 | 8 | ➡️ Y1 | +| M4 | 4-5 | 10 | 40-50 | ➡️ Y1 | +| M5 | 4-5 | 2 | 8-10 | ➡️ Y1 | +| M6 | 4-5 | 5 | 56-68 | ➡️ Y1 | + +> Estimated Total Combined Volunteer Hours: 68-83 Y1, 56-68 Y2+ + +## 3.3 Documentation and Training for the SIRT + +In order to perform the duties of the SIRT properly, we will need both playbooks and onboarding and training materials. This should be addressed early, before we are fully operational so we can iteratively improve on it. The **onboarding** documentation will depend on :x: [2.1](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#22-define-conditions-and-triage-criteria-for-the-services-offered-by-the-sirt-this-list-will-be-maintained-and-actively-updated-in-a-centralized-public-location-on-the-internet) and the **playbooks** will be greatly influenced by :x: [2.4](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#24-design-an-engagement-model-for-incident-responders-which-addresses-things-such-as). + +- **M1**: Onboarding documentation v1.0 + - [ ] Develop on-boarding materials + - [ ] Review materials + - [ ] Skeleton-draft available to join the SIRT team + - [ ] Create means to collect areas of improvement for Onboarding documentation +- **M2**: Operational playbooks v1.0 + - [ ] Onboarding documentation + - [ ] Operations playbooks +- **M3**: Develop outreach and recruiting plan + - [ ] Per 3.2M6 create recruitment plan + - [ ] Informed by # of incidents/engagements in Year 1, develop SIRT workload estimate for growth/expansion + - [ ] Share recruitment plan with TAC and GB + - [ ] Adjust recruitement plan as needed + - [ ] + +### Time & Resource Estimate + +| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | +| :-------: | :------------------: | :------------------------: | :-------------------: | :---: | +| M1 | 4-5 | 20 | 80-100 | ➡️ Y1 | +| M2 | 4-5 | 25 | 100-125 | ➡️ Y1 | +| M3 | 4-5 | 4 | 16-20 | ➡️ Y1 | + +> Estimated Total Combined Volunteer Hours: 196-245 + +## 3.4 Define and report on key metrics + +In order to better understand our successes and impact in year one1, we need metrics and reports about the work done. This objective aims to identify (Service Level Indicators), and then measure (Service Level Objectives) ourselves against these. Reports should be presented to the the [TAC](https://github.com/ossf/tac) on a regular basis. + +- **M1**: Based off of services OSS-SIRT will deliver, create metrics collection and reporting process +- **M2**: Define repoprting channels and key stakeholders +- **M3**: Train OSS-SIRT PgM (3.6 below) in key metrics to track and methods of reporting out +- **M4**: Create quarterly/annual report of OSS-SIRT key metrics + - [ ] issue1 + +### Time & Resource Estimate + +| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | +| :-------: | :------------------: | :------------------------: | :-------------------: | :---: | +| M1[^3] | 4-5 + 1 PgM | 5 | 25-30 | ➡️ Y1 | +| M2 | 1 PgM | 5-10 | 5-10 PgM | ➡️ Y1 | +| M3 | 2 + 1 PgM | 8 | 24 | ➡️ Y1 | +| M4 | 1 PgM | 20 | 20 PgM | ➡️ Y1 | + +> Estimated Total Combined Volunteer Hours:74-84 + +## 3.5 Establish a post mortem culture + +Documenting lessons learned from handled incidents in order to mature the Coordinated Vulnerability Disclosure processes (CVD) with feedback provided to other working groups such as the Best Practices WG, Vuln Disc WG and other existing organizations operating in the incident response world. + +- **M1**: Create post mortem process for after-action reviews as well as reflection upon major incidents +- **M1a**: Create post mortem feedback survey for participants in incidents +- **M1b**: Create post mortem executive summary report for sharing with key stakeholders after post mortem is concluded +- **M2**: Train OSS-SIRT PgM (3.6 below) to facilitate post mortem process and stakeholder feedback collection + - [ ] issue1 + +### Time & Resource Estimate + +| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | +| :-------: | :------------------: | :------------------------: | :-------------------: | :---: | +| M1 | 4-5 | 2 | 8-10 | ➡️ Y1 | +| M2 | 2 | 2 | 4 | ➡️ Y1 | + +> Estimated Total Combined Volunteer Hours: 12-14 + +## 3.6 Hire Program Manager for OSS-SIRT + +Hire Program Manager(PgM) to oversee the execution of the OSS-SIRT plan, and then facilitate and coordinate the OSS-SIRT as it enters operations. This role will need to be one of the first steps undertaken as the OSS-SIRT plan is being implemented to ensure its smooth delivery. The OSS-SIRT PgM will lead post mortem exercises on incidents to improve efficienmcy and quality of OSS-SIRt outputs, will collect and report out on key metrics of the OSS-SIRt program, will coordinate onboarding and training of new OSS-SIRT volunteers, amongst other duties. + +- **M1**: Create job description + roles & responsibilities for OSS-SIRT PgM +- **M2**: Hire PgM +- **M3**: On-board PgM and get them up to speed to start manging plan implementation + - [ ] issue[16](https://github.com/ossf/SIRT/issues/16) + +### Time & Resource Estimate + +| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage | +| :-------: | :------------------: | :------------------------: | :-------------------: | :---: | +| M1 | 2 | 2 | 4 | ➡️ Y1 | +| M2 | 4-5 | 8 | 32-40 | ➡️ Y1 | +| M3 | 4-5 | 8 | 32-40 | ➡️ Y1 | + +> Estimated Total Combined Volunteer Hours: 72-84 1 FTE $300k per annum diff --git a/plan/README.md b/plan/README.md index 6623340..fc6dbb2 100644 --- a/plan/README.md +++ b/plan/README.md @@ -1,4 +1,5 @@ -# The Problem: +# The Problem + The next world-altering critical open-source software vulnerability like [Heartbleed](https://heartbleed.com/) or [Log4Shell](https://en.wikipedia.org/wiki/Log4Shell) is almost certainly already existing, undiscovered, somewhere in our codebases today. When these vulnerabilities are eventually discovered by either a friendly researcher @@ -12,17 +13,16 @@ for an industry-wide security risk, and have no choice but to try to remediate i often without the specialist security knowledge and coordinated disclosure connections to do so safely. -In May of 2022, the OpenSSF developed a 10 stream plan to address this and several other ecosystem-wide security topics as part of the [Open Source Software Security Mobilization Plan](https://openssf.org/oss-security-mobilization-plan/). Stream 5 set forth the initial framework to Establish an OpenSSF Incident Response Team of security experts to assist open source projects accelerate their responses to newly discovered vulnerabilities. This work was adopted by the OpenSSF's [Vulnerability Disclosure Working Group](https://github.com/ossf/wg-vulnerability-disclosures) and the plan was reformed into this document from July 2022 through November 2022. +In May of 2022, the OpenSSF developed a 10 stream plan to address this and several other ecosystem-wide security topics as part of the [Open Source Software Security Mobilization Plan](https://openssf.org/oss-security-mobilization-plan/). Stream 5 set forth the initial framework to Establish an OpenSSF Incident Response Team of security experts to assist open source projects accelerate their responses to newly discovered vulnerabilities. This work was adopted by the OpenSSF's [Vulnerability Disclosure Working Group](https://github.com/ossf/wg-vulnerability-disclosures) and the plan was reformed into this document from July 2022 through November 2022. + +This plan lays out the first two years of a roadmap to develop a cohort of trustworthy, vendor-neutral, vetted, well-orchestrated and experienced group of security professionals that will partner with open source projects, maintainers, security researchers, and the industry ecosystem to help ensure good coordinated vulnerability disclosure practices are used through out open source and downstream communities. As the team develops and as tooling, process, and connections are put into place, this team of vounteers will be able to assist open source developers and security researchers collaborate more effectively as security vulnerabiltiies are reported, coordinated, and ultimately addressed in open source software. The plan is organized into three sections: -This plan lays out the first two years of a roadmap to develop a cohort of trustworthy, vendor-neutral, vetted, well-orchestrated and experienced group of security professionals that will partner with open source projects, maintainers, security researchers, and the industry ecosystem to help ensure good coordinated vulnerability disclosure practices are used through out open source and downstream communities. As the team develops and as tooling, process, and connections are put into place, this team of vounteers will be able to assist open source developers and security researchers collaborate more effectively as security vulnerabiltiies are reported, coordinated, and ultimately addressed in open source software. The plan is organized into three sections: - [1.0 Understand the Problem Space](https://github.com/ossf/SIRT/blob/main/plan/1.0%20Understand%20the%20problem%20space.md) that focuses in on existing communities and processes for sharing and resolving security vulnerabilties - [2.0 Identify Core Services](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md) where the desired capabilties that the OSS-SIRT will offer as services to the community are researched and mapped out - [3.0 Execution](https://github.com/ossf/SIRT/blob/main/plan/3.0%20Execution.md) where the plan is executed on with the volunteer corps being oboarded, trained, and supported by expert staff. - - - ## The Proposed Plan + - [1.0 Understand the Problem Space](https://github.com/ossf/SIRT/blob/main/plan/1.0%20Understand%20the%20problem%20space.md) - [2.0 Identify Core Services](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md) - [3.0 Execution](https://github.com/ossf/SIRT/blob/main/plan/3.0%20Execution.md) diff --git a/plan/proposal_summary.md b/plan/proposal_summary.md index 5b891b7..43c4fcd 100644 --- a/plan/proposal_summary.md +++ b/plan/proposal_summary.md @@ -1,57 +1,66 @@ + + # Stream 5 proposal summary -Goal Target to Start Resource Requirements Funding Requirements -1) Understand the Problem Space +Goal Target to Start Resource Requirements Funding Requirements + +## 1. Understand the Problem Space ### Time & Resource Estimate | Milestone | Estimated Volunteers | Estimated Total Hours | Estimated FTEs/Expenses | Stage | | :-------: | :------------------: | :-------------------: | :---------------------: | :---: | -| G1.1[^1] | xxx | xx | xx | ➡️ Y1 | -| G1.2[^1] | xxx | xx | xx | ➡️ Y1 | -| G1.3[^1] | xxx | xx | xx | ➡️ Y1 | -| G1.4[^1] | xxx | xx | xx | ➡️ Y1 | +| G1.1[^1] | xxx | xx | xx | ➡️ Y1 | +| G1.2[^1] | xxx | xx | xx | ➡️ Y1 | +| G1.3[^1] | xxx | xx | xx | ➡️ Y1 | +| G1.4[^1] | xxx | xx | xx | ➡️ Y1 | + > - Estimated # Volunteers: -> - Estimated Total Combined Volunteer Hours: +> - Estimated Total Combined Volunteer Hours: > - Estimated # FTEs/other Expenses: -2) Identify Core Services +--- + +## 2. Identify Core Services ### Time & Resource Estimate | Milestone | Estimated Volunteers | Estimated Total Hours | Estimated FTEs/Expenses | Stage | | :-------: | :------------------: | :-------------------: | :---------------------: | :---: | -| G2.1[^1] | xxx | xx | 3xx | ➡️ Y1 | -| G2.2[^1] | xxx | xx | 3xx | ➡️ Y1 | -| G2.3[^1] | xxx | xx | 3xx | ➡️ Y1 | +| G2.1[^1] | xxx | xx | 3xx | ➡️ Y1 | +| G2.2[^1] | xxx | xx | 3xx | ➡️ Y1 | +| G2.3[^1] | xxx | xx | 3xx | ➡️ Y1 | > - Estimated # Volunteers: -> - Estimated Total Combined Volunteer Hours: +> - Estimated Total Combined Volunteer Hours: > - Estimated # FTEs/other Expenses: +--- -3) Execution +## 3. Execution ### Time & Resource Estimate | Milestone | Estimated Volunteers | Estimated Total Hours | Estimated FTEs/Expenses | Stage | | :-------: | :------------------: | :-------------------: | :---------------------: | :---: | -| G3.1[^1] | xxx | xx | 3xx | ➡️ Y1 | -| G2.2[^1] | xxx | xx | 3xx | ➡️ Y1 | -| G3.3[^1] | xxx | xx | 3xx | ➡️ Y1 | -| G3.4[^1] | xxx | xx | 3xx | ➡️ Y1 | -| G3.5[^1] | xxx | xx | 3xx | ➡️ Y1 | -| G3.6[^1] | xxx | xx | 3xx | ➡️ Y1 | +| G3.1[^1] | xxx | xx | 3xx | ➡️ Y1 | +| G2.2[^1] | xxx | xx | 3xx | ➡️ Y1 | +| G3.3[^1] | xxx | xx | 3xx | ➡️ Y1 | +| G3.4[^1] | xxx | xx | 3xx | ➡️ Y1 | +| G3.5[^1] | xxx | xx | 3xx | ➡️ Y1 | +| G3.6[^1] | xxx | xx | 3xx | ➡️ Y1 | > - Estimated # Volunteers: -> - Estimated Total Combined Volunteer Hours: +> - Estimated Total Combined Volunteer Hours: > - Estimated # FTEs/other Expenses: -## TOTAL ## +## TOTAL + > - Estimated # Volunteers: -> - Estimated Total Combined Volunteer Hours: +> - Estimated Total Combined Volunteer Hours: > - Estimated # FTEs/other Expenses: --------- +--- + Footnotes: -[^1]: +[^1]: