Envoy is a large growing community of volunteers, users, and vendors. The Envoy community has adopted this security disclosure and response policy to ensure we responsibly handle critical issues.
Security vulnerabilities should be handled quickly and sometimes privately. The primary goal of this process is to reduce the total time users are vulnerable to publicly known exploits.
The Product Security Team (PST) is responsible for organizing the entire response including internal communication and external disclosure but will need help from relevant developers to successfully run this process.
The initial Product Security Team will consist of all maintainers in the private envoy-security list. In the future we may decide to have a subset of maintainers work on security response given that this process is time consuming.
The Envoy community asks that all suspected vulnerabilities be privately and responsibly disclosed via the reporting policy.
If you know of a publicly disclosed security vulnerability please IMMEDIATELY email envoy-security to inform the Product Security Team (PST) about the vulnerability so they may start the patch, release, and communication process.
If possible the PST will ask the person making the public report if the issue can be handled via a private disclosure process (for example if the full exploit details have not yet been published). If the reporter denies the request for private disclosure, the PST will move swiftly with the fix and release process. In extreme cases GitHub can be asked to delete the issue but this generally isn't necessary and is unlikely to make a public disclosure less damaging.
For each vulnerability a member of the PST will volunteer to lead coordination with the "Fix Team" and is responsible for sending disclosure emails to the rest of the community. This lead will be referred to as the "Fix Lead."
The role of Fix Lead should rotate round-robin across the PST.
Note that given the current size of the Envoy community it is likely that the PST is the same as the "Fix team." (I.e., all maintainers). The PST may decide to bring in additional contributors for added expertise depending on the area of the code that contains the vulnerability.
All of the timelines below are suggestions and assume a private disclosure. The Fix Lead drives the schedule using their best judgment based on severity and development time. If the Fix Lead is dealing with a public disclosure all timelines become ASAP (assuming the vulnerability has a CVSS score >= 4; see below). If the fix relies on another upstream project's disclosure timeline, that will adjust the process as well. We will work with the upstream project to fit their timeline and best protect our users.
If the vulnerability affects the last point release version, e.g. 1.10, then the full security release process described in this document will be activated. A security point release will be created for 1.10, e.g. 1.10.1, together with a fix to master if necessary. Older point releases, e.g. 1.9, are not supported by the Envoy project and will not have any security release created.
If a security vulnerability affects only these older versions but not master or the last supported point release, the Envoy security team will share this information with the private distributor list, following the standard embargo process, but not create a security release. After the embargo expires, the vulnerability will be described as a GitHub issue. A CVE will be filed if warranted by severity.
If a vulnerability does not affect any point release but only master, additional caveats apply:
We advise distributors and operators working from the master branch to allow at least 5 days soak time after cutting a binary release before distribution or rollout, to allow time for our fuzzers to detect issues during their execution on ClusterFuzz. A soak period of 7 days provides an even stronger guarantee, since we will invoke the security release process for medium or higher severity issues for these older bugs.
See https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model. Vulnerabilities are evaluated against this threat model when deciding whether to activate the Envoy security release process.
These steps should be completed within the first 24 hours of disclosure.
These steps should be completed within the 1-7 days of Disclosure.
If the CVSS score is under 4.0 (a low severity score) the Fix Team can decide to slow the release process down in the face of holidays, developer bandwidth, etc. These decisions must be discussed on the envoy-security mailing list.
A three week window will be provided to members of the private distributor list from candidate patch availability until the security release date. It is expected that distributors will normally be able to perform a release within this time window. If there are exceptional circumstances, the Envoy security team will raise this window to four weeks. The release window will be reduced if the security issue is public or embargo is broken.
All reports to envoy-security@googlegroups.com will be triaged and have an initial response within 1 business day.
Privately disclosed issues will be fixed or publicly disclosed within 90 days by the Envoy security team. In exceptional circumstances we reserve the right to work with the discloser to coordinate on an extension, but this will be rarely used.
Any issue discovered by the Envoy security team and raised in our private bug tracker will be converted to a public issue within 90 days. We will regularly audit these issues to ensure that no major vulnerability (from the perspective of the threat model) is accidentally leaked.
Fuzz bugs are subject to a 90 day disclosure deadline.
Three weeks notice will be provided to private distributors from patch availability until the embargo deadline.
Public zero days will be fixed ASAP, but there is no SLO for this, since this will depend on the severity and impact to the organizations backing the Envoy security team.
With the fix development underway, the Fix Lead needs to come up with an overall communication plan for the wider community. This Disclosure process should begin after the Fix Team has developed a Fix or mitigation so that a realistic timeline can be communicated to users.
Disclosure of Forthcoming Fix to Users (Completed within 1-7 days of Disclosure)
The communication to users should be actionable. They should know when to block time to apply patches, understand exact mitigation steps, etc.
Optional Fix Disclosure to Private Distributors List (Completed within 1-14 days of Disclosure):
Fix Release Day (Completed within 1-21 days of Disclosure)
These steps should be completed 1-3 days after the Release Date. The retrospective process should be blameless.
This list is intended to be used primarily to provide actionable information to multiple distribution vendors as well as a limited set of high impact end users at once. This list is not intended in the general case for end users to find out about security issues.
The information members receive on cncf-envoy-distributors-announce must not be made public, shared, nor even hinted at anywhere beyond the need-to-know within your specific team except with the list's explicit approval. This holds true until the public disclosure date/time that was agreed upon by the list. Members of the list and others may not use the information for anything other than getting the issue fixed for your respective users.
Before any information from the list is shared with respective members of your team required to fix said issue, they must agree to the same terms and only find out information on a need-to-know basis.
We typically expect a single point-of-contact (PoC) at any given legal entity. Within the organization, it is the responsibility of the PoC to share CVE and related patches internally. This should be performed on a strictly need-to-know basis with affected groups to the extent that this is technically plausible. All teams should be aware of the embargo conditions and accept them. Ultimately, if an organization breaks embargo transitively through such sharing, they will lose the early disclosure privilege, so it's in their best interest to carefully share information internally, following best practices and use their judgement in balancing the tradeoff between protecting users and maintaining confidentiality.
The embargo applies to information shared, source code and binary images. It is a violation of the embargo policy to share binary distributions of the security fixes before the public release date. This includes, but is not limited to, Envoy binaries and Docker images. It is expected that distributors have a method to stage and validate new binaries without exposing them publicly.
If the information shared is under embargo from a third party, where Envoy is one of many projects that a disclosure is shared with, it is critical to consider that the ramifications of any leak will extend beyond the Envoy community and will leave us in a position in which we will be less likely to receive embargoed reports in the future.
In the unfortunate event you share the information beyond what is allowed by this policy, you must urgently inform the envoy-security@googlegroups.com mailing list of exactly what information leaked and to whom. A retrospective will take place after the leak so we can assess how to prevent making the same mistake in the future.
If you continue to leak information and break the policy outlined here, you will be removed from the list.
This is a team effort. As a member of the list you must carry some water. This could be in the form of the following:
Technical
Administrative
To be eligible for the cncf-envoy-distributors-announce mailing list, your use of Envoy should:
Be either:
OR
OR
Have a user or customer base not limited to your own organization (except for option 3 above). We will use the size of the user or customer base as part of the criteria to determine eligibility.
Have a publicly verifiable track record up to present day of fixing security issues.
Not be a downstream or rebuild of another distribution.
Be a participant and active contributor in the community.
Accept the Embargo Policy that is outlined above. You must have a way to privately stage and validate your updates that does not violate the embargo.
Be willing to contribute back as outlined above.
Be able to perform a security release of your product within a two week window from candidate fix patch availability.
Have someone already on the list vouch for the person requesting membership on behalf of your distribution.
Nominate an e-mail alias or list for your organization to receive updates. This should not be an individual user address, but instead a list that can be maintained by your organization as individuals come and go. A good example is envoy-security@seven.com, a bad example is acidburn@seven.com. You must accept the invite sent to this address or you will not receive any e-mail updates. This e-mail address will be shared with the Envoy community.
Note that Envoy maintainers are members of the Envoy security team. Members of the Envoy security team and the organizations that they represent are implicitly included in the private distributor list. These organizations do not need to meet the above list of criteria with the exception of the acceptance of the embargo policy.
New membership requests are sent to envoy-security@googlegroups.com.
In the body of your request please specify how you qualify and fulfill each criterion listed in Membership Criteria.
Here is a pseudo example:
To: envoy-security@googlegroups.com
Subject: Seven-Corp Membership to cncf-envoy-distributors-announce
Below are each criterion and why I think we, Seven-Corp, qualify.
> 1. Be an actively maintained distribution of Envoy components OR offer Envoy as a publicly
available service in which the product clearly states that it is built on top of Envoy OR
be a well known end user of sufficient size, scale, and impact to make your
inclusion worthwhile.
We distribute the "Seven" distribution of Envoy [link]. We have been doing
this since 1999 before proxies were even cool.
OR
We use Envoy for our #1 rated cat video service and have 40 billion MAU, proxying 40 trillion^2 RPS
through Envoy at the edge. Secure cat videos are our top priority. We also contribute a lot to the Envoy
community by implementing features, not making Matt ask for documentation or tests, and writing blog
posts about efficient Envoy cat video serving.
> 2. Have a user or customer base not limited to your own organization. Please specify an
> approximate size of your user or customer base, including the number of
> production deployments.
Our user base spans of the extensive "Seven" community. We have a slack and
GitHub repos and mailing lists where the community hangs out. We have ~2000
customers, of which approximately 400 are using Seven in production. [links]
> 3. Have a publicly verifiable track record up to present day of fixing security
issues.
We announce on our blog all upstream patches we apply to "Seven." [link to blog
posts]
> 4. Not be a downstream or rebuild of another distribution. If you offer Envoy as a publicly
> available infrastructure or platform service, this condition does not need to apply.
This does not apply, "Seven" is a unique snowflake distribution.
> 5. Be a participant and active contributor in the community.
Our members, Acidburn, Cereal, and ZeroCool are outstanding members and are well
known throughout the Envoy community. Especially for their contributions
in hacking the Gibson.
> 6. Accept the Embargo Policy that is outlined above. You must
have a way to privately stage and validate your updates that does not violate
the embargo.
We accept.
> 7. Be willing to contribute back as outlined above.
We are definitely willing to help!
> 8. Be able to perform a security release of your product within a two week window from candidate fix
patch availability.
We affirm we can spin out new security releases within a 2 week window.
> 9. Have someone already on the list vouch for the person requesting membership
> on behalf of your distribution.
CrashOverride will vouch for the "Seven" distribution joining the distribution list.
> 10. Nominate an e-mail alias or list for your organization to receive updates. This should not be
an individual user address, but instead a list that can be maintained by your organization as
individuals come and go. A good example is envoy-security@seven.com, a bad example is
acidburn@seven.com. You must accept the invite sent to this address or you will not receive any
e-mail updates. This e-mail address will be shared with the Envoy community.
envoy-security@seven.com
In all cases, members of the distribution list will be reviewed on a yearly basis by the maintainers and security team to ensure they still qualify for inclusion on the list.
Organization | End User | Last Review | |
---|---|---|---|
envoy-security-team@aspenmesh.io | Aspen Mesh | No | 12/19 |
aws-app-mesh-security@amazon.com | AWS | No | 12/19 |
security@cilium.io | Cilium | No | 12/19 |
vulnerabilityreports@cloudfoundry.org | Cloud Foundry | No | 12/19 |
secalert@datawire.io | Datawire | No | 12/19 |
google-internal-envoy-security@google.com | No | 12/19 | |
argoprod@us.ibm.com | IBM | No | 12/19 |
istio-security-vulnerability-reports@googlegroups.com | Istio | No | 12/19 |
secalert@redhat.com | Red Hat | No | 12/19 |
envoy-security@solo.io | solo.io | No | 12/19 |
envoy-security@tetrate.io | Tetrate | No | 12/19 |
security@vmware.com | VMware | No | 12/19 |
envoy-security@pinterest.com | Yes | 12/19 | |
envoy-security@dropbox.com | Dropbox | Yes | 01/20 |
envoy-security-predisclosure@stripe.com | Stripe | Yes | 01/20 |
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。