CVE management process for Node.js

[mhdawson]

I had a discussion @dadinolfi from Mitre about the options for managing CVE's for Node.js.

There are 2 options that we have:

• Act as a CNA
• Use the web form to request CVE's as a one off.

Some open source projects already acting as a CNA

• OpenSSL
• Apache (covers all of apache)
• Drupal
• DWF (give CVEs for open source)

There are pros/cons as outlined in the sections which follows.

From my read of he rules and my discussion with @dadinolfi I think the extra work in being a CNA will be relatively small and have the community being able to control the CVE's assigned for Node.js would be good so I'd lean towards the option of Acting as a CNA.

Acting as CNA

When we act as a CNA, we get a block of CVE's at the start of the year and then assign these ourselves. When publicly disclose the vulnerability we use the web form (and other methods like json in the future) to provide info to Mitre which get published in the CVE. This information is relatively minimal

If any other entity wants a CVE for Node.js they will be referred to us and we decide based on the CNA rules if we believe a CVE should be assigned and if appropriate provide one to the requesting entity.

The full rules for acting as a CNA are here: http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf

• Pros

  • We can quickly assign CVE's
  • We have full control over the CVE's assigned for Node.js

• Cons

  • Some additional reporting requirements
  • We need to make sure those in the community implementing the process follow the rules

• misc

  • We need to be responsive to requests for CVE's
  • We need to provide Mitre with at least a couple of primary contacts that will respond to their enquiries
  • We need to plan to request our block of CVE's once a year.

CVE only public once public, don't publish number until public, release when embargo is lifted.

Web form

• Pros:

  • No pre-planning
  • Minimum work

• Cons

  • Longer cycle time to get CVE assigned and details published
  • Third parties could request/get assigned CVE's on Node.js that we may not agree with.

[mcollina]

I think we should act as a CNA, if we have the bandwidth to do so.

[drifkin]

(edited to fix the link to the PDF)

[mhdawson]

@nodejs/security, @nodejs/security-wg would be good to get input from a good number of people as we'll need a number of people to agree to help with the work required if we chose to act as a CNA.

[grnd]

Acting as a CNA will also help us assigning CVEs to vulnerabilities in npm packages as well

[mhdawson]

Just catching up after beeing out a few weeks.

It was mentioned here: #17 (comment) that HackerOne might be able to act as a CNA for us. Its another option to consider.

@dadinolfi any comments on pros/cons of that ?

[dadinolfi]

If you are a HackerOne customer, they can assign CVE IDs for vulnerabilities reported through their platform. If a vulnerability is disclosed outside of HackerOne, they may not assign for it, which then leaves you in a similar space as now. Some of HackerOne's customers are already CNAs themselves, and they and HackerOne have worked out who will assign for what and when.

[mhdawson]

Talkin with @sam-github who re HackerOne we came to the conclusion we should probably become a CNA even if we end up using HackerOne.

@nodejs/tsc @nodejs/security @nodejs/security-wg Please comment if you have any objections to the project becoming its own CNA for CVEs.

[Fishrock123]

CNA seems like a reasonably good idea.