Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY.md outdated? #863

Open
j-huff opened this issue Sep 26, 2024 · 4 comments
Open

SECURITY.md outdated? #863

j-huff opened this issue Sep 26, 2024 · 4 comments

Comments

@j-huff
Copy link

j-huff commented Sep 26, 2024
edited
Loading

It's unclear to me if the email address [email protected] is still being used (I've gotten no response in weeks). On NASA's website, it says to report via bugcrowd, though I'm unsure if this applies to open source projects on github: https://www.nasa.gov/vulnerability-disclosure-policy/

This SECURITY.md file is one of the top search results on google when searching how to report vulnerabilities in open source projects to NASA, so it should be updated to reflect the current policy.
@bressler95tops
Copy link
Contributor

bressler95tops commented Sep 27, 2024
edited
Loading

Thank you @j-huff I will run this by the team just to confirm. But, I do see the old version of the same page you provided mentions that email address. I personally think it would best to match the new vulnerability report guidance.

@j-huff
Copy link
Author

j-huff commented Sep 27, 2024

The issue is that as far as I can tell from the language on the new page, open source projects are out of scope. Additionally, DoS vulnerabilities are out of scope, as NASA doesn't want people crashing the websites/services listed as in scope. However, this leaves a large category of possible vulnerabilities as out of scope, such as being able to craft and send a malicious packet that will cause the receiving communication software to leak an arbitrary amount of memory and/or crash. That would typically be classified as high severity, but is out of scope according to that page.

"Testing is only authorized on the targets listed as in scope"

"NASA internal-only services are not in scope and are not authorized for testing. Additionally, vulnerabilities found in non-federal systems from our vendors and contractors fall outside of this policy’s scope and should be reported directly to the vendor or contractor according to their disclosure policy (if any)."

I think it would be best to have clear language about how vulnerabilities in open source projects should be reported. My assumption is that they should now be disclosed privately to the repository maintainers.

@nasacrawford
Copy link
Contributor

Thanks for the feedback @j-huff. I'll pass it on to the security team. Please feel free to follow-up with me by email.

@bressler95tops
Copy link
Contributor

Great points @j-huff, I do see the scope of that page excludes a number of things that could be further clarified for open source projects specifically. Thanks for jumping in @nasacrawford I think that is a great idea to go right to the source on that. I am happy to update the content based on the result of your reaching out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nasacrawford @bressler95tops @j-huff