Hi folks, I'd like to propose a change in process for osquery's security policy. I think we have all the tools to handle reports, issue CVEs, fix and release without needing FB's CNA capabilities or FB Whitehat involvement. What I propose is we change the SECURITY.md to be more concrete about how to report, either mention in #core or DM one of the TSC on Slack (with a link to the list of usernames). We also include a few sentences about how we proceed with fixing and applying for a CVE if needed through GitHub's security advisory feature. The motivation behind this is to provide us more efficacy over handling the end-to-end and helping reduce the scope of the FB Whitehat. FB's program focuses on security impact to FB projects and configuration. This means best-practice hardening recommendations for osquery, which do not impact FB, can result in a bad experience for researchers. In these instances if FB were to choose to issue a reward we would hold ourselves to an SLA that is difficult to keep, what I mean by this is FB would have to coordinate with the group here to land a fix. I know I bridge this gap and could commit to maintaining the SLA. Please understand that while I'd absolutely love to do this I cannot commit to this right now. By removing osquery from FB Whitehat we remove the ambiguity of whether a best-practice recommendation has security impact to FB and we remove any false expectations around SLA commitment. Those are upsides, the downside is researchers cannot earn bounty for their hard and meaningful work. I do not have an alternative for providing bounty features for osquery security reports but perhaps in the future we can explore HackerOne/etc if we have finances to support this.

Hi, just to jump in we are the LF and CII are working to provide a set of both tools and guidelines for all OSS projects to be more secure. Wondering if we should share a straw man and have some input or vice versa, we could just borrow your security.md as suggestions for other projects?

I can’t speak for Teddy, but I think it’s fine if you want to point people at our SECURITY.md. I’m always happy to read initial proposals, though time feels especially scarce during the pandemic,

Sure understood. I think we are trying to find a way to provide guidance if there is an appetite, as well as tools if helpful.

You did mention CII. That thing felt pretty overwhelming. Especially for established projects. Not that anything was bad, but many of them involved shifts in process