Table of Contents
How the Evergreen Project Handles Security-related Bugs
How do I report a security-related issue in Evergreen?
You can report a security-related issue in Evergreen via the bug tracking system at https://bugs.launchpad.net/evergreen – be sure to check the box labeled "This bug is a security vulnerability".
While we prefer that security bugs be reported via Launchpad, they can also be reported to firstname.lastname@example.org.
NOTE: If you are an active Evergreen "bug wrangler" or similar, you may instead have an option to change "This bug contains information that is:" from "Public" to "Private Security".
Who can see the details of a security bug?
While a security-related bug is in progress, the original submitter and the Launchpad team "Evergreen Security" are the only ones who can see the details of the bug. The current roster of individuals in the "Evergreen Security" launchpad team can be viewed here: https://launchpad.net/~evergreen-security
After a security bug has been evaluated and either fixed or found to be invalid, the full details of the bug will be publicly visible. Please avoid placing information in a security bug report which should not be made public in this manner.
What happens after I report a security-related issue in Evergreen?
After a security bug is reported in Launchpad, notification is sent to the members of the "Evergreen Security" Launchpad team.
Your bug report will be evaluated, and you may be contacted by the security team and asked to provide additional details.
The security team will work to develop a fix and/or workaround as appropriate.
Communication during the bug fixing process takes place within the Launchpad bug tracking system and/or via e-mail over the Evergreen security team mailing list.
How are security releases tested?
When a fix for the security release is available, including instructions for how to apply the fix to an existing Evergreen installation, the Launchpad bug will be made public. An announcement will be made to the community regarding the nature of the issue, including a call for testers. Testers should note their success/failures directly in the Launchpad ticket.
How are security fixes released?
After testing, the code will be merged to the relevant public Evergreen branches (origin/main, origin/rel_2_3, …) and the Launchpad entries will be marked as Fix Committed. From here, the process proceeds the same as a regular non-security release, though every effort will be made to cut the releases in a timely fashion.
How are security releases announced?
Security releases are are announced via the Evergreen blog and via e-mail to the open-ils-general mailing list.
This section was proposed on 2015-03-12
The purpose of the Evergreen security team is to review reports of specific security flaws in Evergreen, to write and test patches to fix or ameliorate those flaws, and to perform security releases.
Membership in the Evergreen security team is available to individuals who meet all of the following conditions:
- They request membership.
- They promise to adhere to the consensus of the security team regarding when to publicly disclose security issues.
- They promise to maintain the confidentially of discussions on the open-ils-security mailing list and security bugs on LaunchPad.
- They promise to provide assistance to the security team. Such help can take the form of provide substantive commentary on reported security issues, writing patches, testing and reviewing them, writing security documentation, and assisting in the process of preparing and publicizing security releases.
- They operate or support the operation of at least one production Evergreen system known to at least one other current member of the security team.
- They already have access to various tools required to participating in a meaningful fashion, to wit: a registered account on LaunchPad and at least one public key registered with the Evergreen Git server.
- The current members of the security team come to a consensus to admit the new member. The security team reserves the right to reject applications, and will explain their reasoning to the applicant if they should do so. Applications will be reviewed promptly.
Membership applications may be made by contacting one of the current security team members; a list of the current members' names will be maintained on the Evergreen wiki. [(Proposed addition, pending approval) Application for membership should include indication that you have read and agree to the conditions stated above.]
Violations of the promises in (2) and (3) may result in immediate expulsion from the security team.
Membership in the security team belongs to individuals, not institutions. Membership comes with an expectation that each member will actively participate at least part of the time; it is not to be treated simply as a means of gaining early access to information about security vulnerabilities in Evergreen.
The team membership list will be reviewed annually; members who have not made substantive contributions to the team may be dropped from the list, but are free to apply to rejoin.
Members of the security team will have access to the following restricted resources in order to carry out their work:
- membership in the private security group on LaunchPad, which will allow them to see and act on bugs that are marked as private security bugs
- a subscription and access to the private archives of the open-ils-security mailing list
- access to the Git repositories hosting security patches in progress.
Current security team members
- Thomas Berezansky
- Galen Charlton
- Jeff Davis
- Bill Erickson
- Jeff Godin
- Rogan Hamby
- Kathy Lussier
- Mike Rylander
- Dan Scott
- Chris Sharp
- Ben Shum
- Jason Stephenson
- Yamil Suarez
- Dan Wells
- Liam Whalen