[OPEN-ILS-DEV] Questions about security bugs/process

Kathy Lussier klussier at masslnc.org
Wed Mar 4 10:46:29 EST 2015 

Good morning Evergreen developers!

Thanks to everyone for getting the recent security release out, 
particularly to Jason Stephenson for creating the fixes for the security 
issues and to Dan Wells, Ben Shum, and Bill Erickson for coordinating 
the release cutting.

A couple of questions arose as I was reviewing the LP bugs that describe 
the problems that were being fixed by the security releases. LP1206589 
was submitted on July 30, 2013 and is related to information that any 
site using credit card processing would want to keep private. We have 
one site that has been using credit card processing since before the bug 
was filed. I'm sure there are other sites in the community that were 
also using it or that may have decided to implement credit card 
processing after the bug was filed.

All of these sites would have wanted to know that there was a security 
issue with these credit card settings, as well as the additional 
security issues identified in LP1424755. However, once LP1206589 was set 
to a private security bug in September 2013, these sites had no way of 
finding out that there was a security issue that a small group of 
community members were aware of.

Knowledge of that security issue may have influenced their decision to 
implement/continue using credit card processing. If credit card 
processing was a critical service in their environments, they may also 
have made the decision to fund a fix for the bug sooner.

Here are my questions regarding security bugs:

Who is allowed access to security bugs and are there ways others in the 
community can find out about these bugs? I understand why we don't want 
this information available to the general public, but, IMO, the closed 
nature of security bugs only works in an environment where we know we 
can get a quick turnaround on fixes for critical security issues.

What is the typical turnaround time for security bugs that are 
ultimately determined to be of critical or high importance? Was the 
turnaround time on this security issue unique or are there other 
security bugs that have been in LP for several months that would cause 
me to lose sleep if I knew they existed?

I'm also curious about the general process that follows the submission 
of a security bug. Is there somebody that goes through them to identify 
which ones require some immediacy and then makes sure they get addressed 
in a timely manner?

I really think we need to increase the transparency of these bugs 
without compromising the security of our systems in the process. Any 
site running Evergreen in a production environment should have a right 
to know when a known security bugs affects their system, especially when 
it comes to those bugs that have been left unresolved for many months.  
Maybe we could allow one trusted person from each site subscribe to 
security bugs or maybe there are other methods for sharing this 
information for Evergreen sites. I would like to hear thoughts from 
others on how we can improve transparency.

Thanks!
Kathy


-- 
Kathy Lussier
Project Coordinator
Massachusetts Library Network Cooperative
(508) 343-0128
klussier at masslnc.org
Twitter: http://www.twitter.com/kmlussier

More information about the Open-ils-dev mailing list