Hi folks, I'd like to propose a change in process for osquery's security policy. I think we have all the tools to handle reports, issue CVEs, fix and release without needing FB's CNA capabilities or FB Whitehat involvement.
What I propose is we change the SECURITY.md to be more concrete about how to report, either mention in #core or DM one of the TSC on Slack (with a link to the list of usernames). We also include a few sentences about how we proceed with fixing and applying for a CVE if needed through GitHub's security advisory feature.
The motivation behind this is to provide us more efficacy over handling the end-to-end and helping reduce the scope of the FB Whitehat. FB's program focuses on security impact to FB projects and configuration. This means best-practice hardening recommendations for osquery, which do not impact FB, can result in a bad experience for researchers. In these instances if FB were to choose to issue a reward we would hold ourselves to an SLA that is difficult to keep, what I mean by this is FB would have to coordinate with the group here to land a fix. I know I bridge this gap and could commit to maintaining the SLA. Please understand that while I'd absolutely love to do this I cannot commit to this right now.
By removing osquery from FB Whitehat we remove the ambiguity of whether a best-practice recommendation has security impact to FB and we remove any false expectations around SLA commitment. Those are upsides, the downside is researchers cannot earn bounty for their hard and meaningful work.
I do not have an alternative for providing bounty features for osquery security reports but perhaps in the future we can explore HackerOne/etc if we have finances to support this.