-
Story
-
Resolution: Done
-
Highest
-
None
-
None
As a secure email approach runs into challenges with using 3GPP interacting with coperate policies in organizations, an alternative to use a ticketing system like Jira should be exploroed.
SECCCOM-2019-01-30
The following was submitted.
A Jira board where:
- Anyone can submit a vulnerability JIRA (with or without a LF ID).
- It supports default settings where the Vulnerability management sub-committee members are the only ones that have the right to view and access all the included Jiras
- The vulnerability management sub-committee receives a notification that there is a new jira, but without the details
- It is possible to extend the security settings in a per JIRA basis and a per individual basis to include access for selected individuals that are required to solve the identified vulnerability.
- Finally, it should be possible to move the access restrictions and move the JIRA (when completed) to the appropriate project jira.
It replies need to be updated.
[2019-02-13]
Considering Launchpad as a platform for vulnerability reports; used by OpenStack today
- Launchpad requires an Ubuntu report
- Requires sending empty email
- Krzysztof will update Jira ticket with the details of the OpenStack process
Recommendation
- drop the requirements that cannot be fulfilled: (1) opening Jira for user without a LFID; (2) empty notifications (no bug content)
- Create a Jira and in work to create GPG keys for a few key people to receive critical vulnerability reports.
- Pawel will bring the Recommendation to the TSC - target 2019-02-14 TSC meeting
- mentioned in
-
Page Loading...
1.
|
Update Vulnerabilities Management Process & Present it to TSC for approval | Closed | kopasiak |