powered by Jive Software

Security Response Mechanism

The Community needs some sort of security response mechanism. A simple, well advertised, email be sufficient? Need we more infrastructure? Or shall they continue to email matt and gato?

daryl

I wonder whether one person will be enough. Maybe this email address should forward the report to a group of users. After receiving this letter this group will wait until the main user posts the report here. If somehow he misses the report or is absent (vacation, etc.), then someone else of the group will post it here.

A (well formed) email to a group of people (including Matt and Gato) would be best, for the reasons that Wroot gave. All progress on the issue should be tracked centrally, to avoid people doing duplicate work in the rush of things. JIRA is an appropiate tool here. For security issues that relate to exploits, we should keep the related JIRA issue private: visible to only the group of people mentioned earlier, plus the issue reporter.

Question is to Benjamin/Matt then, can an email list of security@igniterealtime.org be setup?

daryl

I can certainly setup a list. To be clear:

security@igniterealtime.org will send to Matt and Gato. Others can be added in the future as needed/desired.

I can set it up as soon as that’s confirmed.

Doesn’t that go back to requiring Matt and Gato to “do something” with Openfire where they probably don’t have time to put into it?

I woudl recommend that at least one community person be on this. (and no I’m not volunteering)

I’m assuming this list is expected to be where “There has been a security advisory written for Openfire et al” type stuff goes to?

Daniel, i think you are right about the type of the letters. I suggest to put Daryl on list. And you can also put me as a backup

That’d be fine: akrherz@iastate.edu

daryl

If you decide to add mine, here: wrath@rambler.ru

Setup completed.

security@igniterealtime.org --> matt@jivesoftware.com, gato@jivesoftware.com, akrherz@iastate.edu, wrath@rambler.ru

So, now it should be advertised somewhere on the site. Maybe in the Projects part in every product description? Also it should be somehow emphasized to be noticed easier. It could be as some announcement in the forums, but announcements can be used for something else also, so maybe it’s not suitable for this.

wroot,

I think a document page is in order and will generate one in this group to get the ball rolling.

daryl

Ah, this is ok for keeping the list of security issues. But this is not about advertising the email address. Someone will have to dig up this document to find out the address.

I have just tried to email to this security@igniterealtime.org and i didnt yet get anything. Maybe i’m not supposed to. What about the others? I have emailed about this:

wroot: you are on the alias list, " wrath@rambler.ru " … Did you ever get my email? I sent a test email out when I set this up a few days ago… maybe check spam folder?

Perhaps we could make a top-level space in the forums for “Security Reports” … We can customize it’s homepage with a link to the document, and also have the email address there.

This could be a place where the team documents known security issues, and we only accept reports via email… or we could optionally allow reports here, or in a sub-space.

I think we need to advertise it, but not place the email address all over the site, either.

benjamin wrote:

wroot: you are on the alias list, " wrath@rambler.ru " … Did you ever get my email? I sent a test email out when I set this up a few days ago… maybe check spam folder?

No, i didnt get. I dont have any local spam filter, unless my email provider is doing some filtering, but i’m getting email notifications from community@igniterealtime.org. Try switching the alias to my other address: wrooot@gmail.com (yes, 3 o ). And send a test message.

benjamin wrote:

Perhaps we could make a top-level space in the forums for “Security Reports” …

As i’m looking at the default Community view, this sounds good. We can put it above the Product Releases and News or above the Support, or somewhere else? I think it could be just a plain page with the link to a document of issues and the email address.

Changed to wrooot@gmail.com and sent another test email. It’s odd you weren’t getting it because the mail log showed delivery to your mail server.

OK, I will create a space for it, then move the document created by Daryl.