Do you have and adhere to responsible disclosure requirements for all externally identified vulnerabilities?

ID

esf_s3c_dev/security_policy

Severity

low

Category

Levels

Optional

false

Tags

SSDF-RV.1.3, policy, security, supply-chain

Description

Do you have and adhere to responsible disclosure requirements for all externally identified vulnerabilities?

Establish a vulnerability disclosure program, and make it easy for security researchers to learn about your program and report possible vulnerabilities.

Reference: ESF - Securing the Software Supply Chain - Recommended practices for Developers - 2.2.1 Malicious Modification of Source Code - Subsection 3 Conduct nightly builds with security and regression tests

Rationale

At some point in the life of any software project, someone (a user, a contributor, or a security researcher) will find a vulnerability that affects the safety and usefulness of the software.

A security policy (typically a SECURITY.md file) can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible.

Such security policy should document at least:

  • How to contact the project team about a potential security vulnerability.

  • Whether the vulnerability report can be kept private until such time the project decides to share more broadly, after patches are made available.

  • The reporter’s expectations on communication/collaboration around the issue.

  • Kinds of security issues and their corresponding fix / disclosure strategies.

Lack of a publicised security policy may lead to insecure reporting of vulnerabilities, lower trust on project security, public disclosure of vulnerabilities without previous contact with the project team or, as the worst case, vulnerabilities that were discovered but not reported due to lack of security policy, and were later exploited by bad actors.

Verification

This check works by looking for a file named SECURITY.md (case-insensitive) in a few well-known directories.

Remediation

  • Place a security policy file (recommended name: SECURITY.md) in the root directory of your repository. This makes it easily discoverable by a vulnerability reporter.

  • The file should contain information on what constitutes a vulnerability and a way to report it securely (e.g. issue tracker with private issue support, encrypted email with a published public key). You may follow the OpenSSF coordinated vulnerability disclosure guidelines or a similar process to respond to vulnerability disclosures.