From 22eb4a899a819e2211b4a42bac80aff989fbdaf6 Mon Sep 17 00:00:00 2001 From: Jacques Vidrine Date: Tue, 2 Jul 2002 15:39:38 +0000 Subject: [PATCH] = Who are the Security Officer and Security Officer Team = Information handling policies --- en/security/advisories.xml | 192 ++++++++++++++++++++++++++++++++----- en/security/security.sgml | 192 ++++++++++++++++++++++++++++++++----- share/sgml/advisories.xml | 192 ++++++++++++++++++++++++++++++++----- 3 files changed, 504 insertions(+), 72 deletions(-) diff --git a/en/security/advisories.xml b/en/security/advisories.xml index e89bed45dc..c248e5d037 100644 --- a/en/security/advisories.xml +++ b/en/security/advisories.xml @@ -1,10 +1,10 @@ - + %includes; ]> - + &header; @@ -25,7 +25,8 @@ introduce vulnerabilities.

Table of Contents

-

The FreeBSD Security Officer Team

+

The FreeBSD Security Officer and the Security Officer Team

To better coordinate information exchange with others in the security -community, FreeBSD has a focal point for security related communications: -the FreeBSD Security Officer team. -The position is staffed by a team of dedicated security officers, -whose main tasks are to send out advisories when there are known security -holes and to act on reports of possible security problems with FreeBSD.

+community, FreeBSD has a focal point for security-related communications: +the FreeBSD Security Officer.

-

If you need to contact someone from FreeBSD about a -possible security bug, you should therefore send mail to the Security Officer team -with a description of what you have found and the type of vulnerability it -represents. The Security Officer team also communicates with the various -CERT and FIRST teams around the world, -sharing information about possible vulnerabilities in FreeBSD or -utilities commonly used with FreeBSD. The Security Officers are also -active members of those organizations.

+

If you need to contact the FreeBSD Project about +a possible security issue, you should therefore send mail to the Security +Officer with a description of what you have found and the type of +vulnerability it represents.

-

If you do need to contact the Security Officer team about a particularly -sensitive matter, please use their PGP key - to encrypt your message before sending it.

+

In order that the FreeBSD Project may respond to vulnerability +reports in a timely manner, there are four members of the Security +Officer mail alias: the Security Officer, the Deputy Security Officer, +and two Core Team liaisons. Therefore, messages sent to the +<security-officer@FreeBSD.org> +mail alias are currently delivered to:

+ + + + + + + + + + + + + + + + + + +
Jacques Vidrine <nectar@FreeBSD.org>Security Officer
Chris Faulhaber <jedgar@FreeBSD.org>Deputy Security Officer
Robert Watson <rwatson@FreeBSD.org>FreeBSD Core Team member, Release Engineering liaison,
+ TrustedBSD Project liaison, system security architecture expert
Warner Losh <imp@FreeBSD.org>FreeBSD Core Team liaison, Security Officer Emeritus
+ +

The Security Officer is supported by the Security Officer Team +<security-team@FreeBSD.org>, a +group of committers selected by the Security Officer. The current +make up of the team is as follows:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Bill Fumerola <billf@FreeBSD.org>FreeBSD Infrastructure liaison
Daniel Harris <dannyboy@FreeBSD.org>
Trevor Johnson <trevor@FreeBSD.org>
Kris Kennaway <kris@FreeBSD.org>Port Manager liaison, Security Officer Emeritus
Wes Peters <wes@FreeBSD.org>Core Team liaison
Guido van Rooij <guido@FreeBSD.org>Security Officer Emeritus
Dag-Erling Smorgrav <des@FreeBSD.org>
+ +

Please use the Security +Officer PGP key to encrypt your messages to the Security Officer +when appropriate.

+ + +

Information handling policies

+ +

As a general policy, the FreeBSD Security Officer favors full +disclosure of vulnerability information after a reasonable delay to +permit safe analysis and correction of a vulnerability, as well as +appropriate testing of the correction, and appropriate coordination +with other affected parties.

+ +

The Security Officer will notify one or more of the +FreeBSD Cluster Admins of +vulnerabilities that put the FreeBSD Project's resources under +immediate danger.

+ +

The Security Officer may bring additional FreeBSD developers +or outside developers into discussion of a submitted security +vulnerability if their expertise is required to fully understand or +correct the problem. Appropriate discretion will be exercised to +minimize unnecessary distribution of information about the submitted +vulnerability, and any experts brought in will act in accordance of +Security Officer policies. In the past, experts have been brought +in based on extensive experience with highly complex components of +the operating system, including FFS, the VM system, and the network +stack.

+ +

If a FreeBSD release process is underway, the FreeBSD Release +Engineer may also be notified that a vulnerability exists, and its +severity, so that informed decisions may be made regarding the release +cycle and any serious security bugs present in software associated +with an up-coming release. If requested, the Security Officer will +not share information regarding the nature of the vulnerability with +the Release Engineer, limiting information flow to existence and +severity.

+ +

The FreeBSD Security Officer has close working relationships +with a number of other organizations, including third-party vendors +that share code with FreeBSD (the OpenBSD and NetBSD projects, +Apple, and other vendors deriving software from FreeBSD, as well +as the Linux vendor security list), as well as organizations +that track vulnerabilities and security incidents, such as CERT. +Frequently vulnerabilities may extend beyond the scope of the +FreeBSD implementation, and (perhaps less frequently) may have +broad implications for the global networking community. Under such +circumstances, the Security Officer may wish to disclose vulnerability +information to these other organizations: if you do not wish the +Security Officer to do this, please indicate so explicitly in any +submissions.

+ +

Submitters should be careful to explicitly document any special +information handling requirements.

+ +

If the submitter of a vulnerability is interested in a coordinated +disclosure process with the submitter and/or other vendors, this +should be indicated explicitly in any submissions. In the absence +of explicit requests, the FreeBSD Security Officer will select a +disclosure schedule that reflects both a desire for timely disclosure +and appropriate testing of any solutions. Submitters should be aware +that if the vulnerability is being actively discussed in public forums +(such as bugtraq), and actively exploited, the Security Officer may +choose not to follow a proposed disclosure timeline in order to +provide maximum protection for the user community.

+ +

Submitters should be aware that the FreeBSD Project is an open +source project, and source revision control information for every +change made to the FreeBSD source tree is publically accessible. If a +disclosure schedule is provided, it should take into account both the +official release of advisory, patch, and update information, as well +as initial inclusion of fixes in the FreeBSD source tree. There is +necessarily a lag between the inclusion of fixes in the tree and the +generation and releases of advisories, patches, and binary updates, as +the source control system is used to generate them.

+ +

Submissions may be protected using PGP. If desired, responses will +also be protected using PGP.

FreeBSD Security Advisories

-

The FreeBSD Security Officer Team provides security advisories for the +

The FreeBSD Security Officer provides security advisories for the following releases of FreeBSD: