Security Playbooks – for Security WG members

Identify the owner of a repo

• Check the catalog-info.yaml file.

• Search for CODEOWNER files in the repo.

• Ask someone from edx.org/2U to consult the 2U Ownership Spreadsheet.

• Ask the PR Triage CCs for help routing to the correct owners.

Onboard or offboard a working group member

Add/remove in:

Add in (no removal necessary):

Triage security@openedx.org emails

When you’re on-call, you must reply to emails sent to security@openedx.org.

Reply as security@openedx.com

You should receive all emails sent to security@openedx.org in your work email.

Use the Google Groups web interface to reply as

Open

Assign emails to responders

Assign yourself to emails:

• Received while you’re on-call

• That you’re taking care of

In , click on a message, then click on the “Assign to someone” button:

Open

Follow up

Please follow up periodically to all emails assigned to you. Why:

• Remind the reporter you need more information.

• Reassure the reporter we are looking at the issue.

If you need to, handoff the email to another working group member. Don’t forget to re-assign it to them.

Close out

If the email requires no further follow up, use one of these buttons to close out a message:

• Complete: You did work on the message, even if it was only investigation.

• Duplicate: The message is entirely covered by another message.

  • Google Groups will ask you for the URL of original message. Fill it in.

• No Action Needed: The message is frivolous, spam, or frivolous spam.

What to say

Our tone: direct, professional, but kind.

See & add to them!

• Acknowledge the email quickly:

  • Thank you for your email. We will investigate.

• Common inquiries & template responses:

  • Duplicates:

    • Thank you for your report. This is a duplicate of an earlier report that we are reviewing.

  • No update yet:

  • Need proof of concept:

  • Confirm correct destination:

  • Bug bounty:

• Inapplicable reports/inquires

  • Intentionally open source:

• Close out the email thread.

  • Forwarded to an operator or Axim:

    • Re-send this email if the reporter continues to inquire about the operator’s contact information.

    • See Forward a report to an operator or Axim, below.

  • Not a security issue:

  • Verified vulnerability:

What to do

under construction

• Forward a report to an operator or Axim

• 📥 Respond to a security disclosure

• 🗨️ Give security advice

• 🏗️ Process suggestions for security improvements

Forward a report to an operator or Axim

If a report applies only to a particular operator or to Axim:

1. Find the operator’s contact information at

2. “Forward” report to the operator from the Google Groups web interface

   1. Click on “Reply all” at the bottom of the email thread.

   2. Change sender to “security@openedx.org”

   3. Clear Cc: field to remove reporter’s email(s)

   4. Add operator’s email to Cc: field

   5. Change the subject prefix from “Re:” to “Fwd:”

   6. Check any relevant attachments are still included.

   7. Include a blurb, like below:

   8. Post message

3. Reply all to the reporter’s original email so the email to the operator is not included in the thread.

   1. The Reply all button should look like the above and is to the right of the header of the reporter’s original email.

   2. Check the sender is still “security@openedx.org”

   3. Click on the … at the bottom of the draft to check other emails are not included in the reply.

   4. Include a blurb, like below:

For more information on why we provide this service, see and “Guidance for Operators” in .

Respond to a security disclosure

A security disclosure is someone emailing to report a security vulnerability in Open edX software.

Our job:

• Verify a security vulnerability exists

• Find who owns the code

  • Playbook: 🔍 Identify the owner of a repo

• Create a GitHub Security Advisory (GHSA) for the affected repositories

  • Add: Title, Description, Ecosystem, and use CVSS Calculator

    • Ecosystem: npm or pip if applicable, otherwise None

  • Add the owners/team of the repo to the GitHub Security Advisory:

    • https://github.com/orgs/openedx/teams

• Share link to draft security advisory to #wg-security-private & get a thumb

• Email the maintainer:

  • Send from Google Groups:

    • Click on “New conversation”:

    • You should see a box like this pop up:

  • Include the severity rating (low, medium, high, or critical) provided by the CVSS calculator on the GitHub Security Advisory.

  • Template:

Give security advice

under construction

Process suggestions for security improvements

In our GitHub Project:

1. Decide whether the suggestion is worth accepting.

   • If in doubt, create a ticket titled “Discuss […]”

2. Consider whether the suggestion can be made public.

   • If not, raise in #wg-security-private for next steps.

3. Search for existing, similar suggestions.

4. Create or comment on the issue for the suggestion.

   • Add a link to the Google Groups message

   • To add an issue:

     • Select “Convert to issue” and add the issue to the wg-security repo. [GitHub docs]

5. Reply to the reporter:

6. If a new issue, notify #wg-security:

Map a Name to a Github Username

It’s generally useful to be able to either map real names to GitHub usernames or map GitHub user names from a catalog-info.yaml file to real names so that we can contact maintainers via other communication channels (Email, slack, Discourse, etc.)

As a security manager you will have access to this mapping of names to Github usernames.

1. Go to

2. Look up the name or GitHub username.