Security Playbooks – for Security WG members

Identify the owner of a repo

  • Check the catalog-info.yaml file.

  • Search for CODEOWNER files in the repo.

  • Ask someone from edx.org/2U to consult the 2U Ownership Spreadsheet.

  • Ask the PR Triage CCs for help routing to the correct owners.

Onboard or offboard a working group member

Add/remove in:

https://openedx.slack.com/archives/C048EGU3X2B
view & edit permission
Add or remove the member to the on-call calendar
Update the weekly checking reminder
/remind #wg-security-private every Wednesday at 10 am to Weekly Update! @feanil @alangston @pshiu @magajh • Update any issues you have on the [SWG Board](https://github.com/orgs/openedx/projects/45/views/1) • In this thread, let everyone know: ◦ In one sentence, what are you working on for SWG this week? ◦ Are you stuck on anything?

Add in (no removal necessary):

Triage security@openedx.org emails

When you’re on-call, you must reply to emails sent to security@openedx.org.

Reply as security@openedx.com

You should receive all emails sent to security@openedx.org in your work email.

Use the Google Groups web interface to reply as

Always change the “From:” field to security@openedx.org every time.

Assign emails to responders

Assign yourself to emails:

  • Received while you’re on-call

  • That you’re taking care of

In https://groups.google.com/a/openedx.org/g/security, click on a message, then click on the “Assign to someone” button:

Follow up

Please follow up periodically to all emails assigned to you. Why:

  • Remind the reporter you need more information.

  • Reassure the reporter we are looking at the issue.

If you need to, handoff the email to another working group member. Don’t forget to re-assign it to them.

Close out

If the email requires no further follow up, use one of these buttons to close out a message:

  • Complete: You did work on the message, even if it was only investigation.

  • Duplicate: The message is entirely covered by another message.

    • Google Groups will ask you for the URL of original message. Fill it in.

  • No Action Needed: The message is frivolous, spam, or frivolous spam.

What to say

Our tone: direct, professional, but kind.

Tip: Hover over the right end of the response block to see a “Copy as text” button:

The “Copy as text” button

See & add to them!

  • Acknowledge the email quickly:

    • Thank you for your email. We will investigate.
  • Common inquiries & template responses:

    • Duplicates:

      • Thank you for your report. This is a duplicate of an earlier report that we are reviewing.
    • No update yet:

      • Hello, We are continuing to investigate this report and will reach out to you when we have reached a resolution. Thank you.
    • Need proof of concept:

      • Hello, Would you be able to provide a proof of concept for the vulnerability? Thank you.
    • Confirm correct destination:

      • Hello, Thank you for reaching out. This e-mail address is the correct place to report any security issues you may have found. The Open edX project does not offer bug bounties for security vulnerability disclosures. See: https://github.com/openedx/edx-platform/security/policy#bug-bounty Thank you.
    • Bug bounty:

      • The Open edX project does not offer bug bounties for security vulnerability disclosures. See: https://github.com/openedx/edx-platform/security/policy#bug-bounty
  • Inapplicable reports/inquires

    • Intentionally open source:

      • Thank you for this report. Open edX is an open-source platform; many of our features are developed in the open and collaboratively with community developers. If you would be interested in contributing, you can learn more at https://open.edx.org/community/
  • Close out the email thread.

    • Forwarded to an operator or Axim:

      • Thank you for your email. We have determined your report pertains to a specific Open edX operator and have forwarded your report to them. The operator will reach out to you if any further information is required.
      • Re-send this email if the reporter continues to inquire about the operator’s contact information.

      • See Forward a report to an operator or Axim, below.

    • Not a security issue:

      • Thank you for the disclosure. We have investigated this and do not believe it is a security issue that needs to be addressed at this time.
    • Verified vulnerability:

      • Hello, Thank you for your patience. We are resolving the security vulnerability reported by your disclosure. The Open edX Project does not offer monetary bug bounties for security disclosures. Thank you again for your disclosure.

What to do

under construction

Forward a report to an operator or Axim

If a report applies only to a particular operator or to Axim:

  1. Find the operator’s contact information at

  2. “Forward” report to the operator from the Google Groups web interface

    1. Click on “Reply all” at the bottom of the email thread.

    2. Change sender to “security@openedx.org”

    3. Clear Cc: field to remove reporter’s email(s)

    4. Add operator’s email to Cc: field

    5. Change the subject prefix from “Re:” to “Fwd:”

    6. Check any relevant attachments are still included.

    7. Include a blurb, like below:

      1. From: security@openedx.org Cc: <email of operator> Subject: Fwd: <original subject> We received the email below and believe it be a security report specific to your Open edX instance. We will inform the reporter that you will reach out to them if any additional information is required. Need help, or receive this email in error? Please let us know. Thanks, —Security WG
    8. Post message

  3. Reply all to the reporter’s original email so the email to the operator is not included in the thread.

    1. The Reply all button should look like the above and is to the right of the header of the reporter’s original email.

    2. Check the sender is still “security@openedx.org”

    3. Click on the … at the bottom of the draft to check other emails are not included in the reply.

    4. Include a blurb, like below:

      1. From: security@openedx.org Cc: <email of reporter> Subject: Re: <original subject> Thank you for your email. We have determined your report pertains to a specific Open edX operator and have forwarded your report to them. The operator will reach out to you if any further information is required.

For more information on why we provide this service, see and “Guidance for Operators” in https://open-edx-proposals.readthedocs.io/en/latest/processes/oep-0060-proc-sec-group.html#guidance-for-operators.

Respond to a security disclosure

A security disclosure is someone emailing to report a security vulnerability in Open edX software.

Our job:

  • Verify a security vulnerability exists

  • Find who owns the code

  • Create a GitHub Security Advisory (GHSA) for the affected repositories

  • Share link to draft security advisory to #wg-security-private & get a thumb

  • Email the maintainer:

    • Send from Google Groups:

      • Click on “New conversation”:

      • You should see a box like this pop up:

    • Include the severity rating (low, medium, high, or critical) provided by the CVSS calculator on the GitHub Security Advisory.

    • Template:

      From: security@openedx.org Cc: <email of maintainers> Subject: New security vulnerability in <repository>: <name of GHSA> (<Low/Medium/High/Critical>) There is a new security vulnerability in <repository>: <URL to GHSA> It has a draft severity rating of "<Low/Medium/High/Critical>". Need help? Please let us know, or consult: https://openedx.atlassian.net/wiki/spaces/COMM/pages/3630923873/For+maintainers Thanks, —Security WG

Give security advice

under construction

Process suggestions for security improvements

In our GitHub Project:

  1. Decide whether the suggestion is worth accepting.

    • If in doubt, create a ticket titled “Discuss […]”

  2. Consider whether the suggestion can be made public.

  3. Search for existing, similar suggestions.

  4. Create or comment on the issue for the suggestion.

    • Add a link to the Google Groups message

    • To add an issue:

      • Select “Convert to issue” and add the issue to the wg-security repo. [GitHub docs]

  5. Reply to the reporter:

    • We have added your suggestion to our project board: <URL to issue or comment> Thank you for helping keep Open edX secure.
  6. If a new issue, notify #wg-security:

    • [new issue] <URL to issue>

Map a Name to a Github Username

It’s generally useful to be able to either map real names to GitHub usernames or map GitHub user names from a catalog-info.yaml file to real names so that we can contact maintainers via other communication channels (Email, slack, Discourse, etc.)

As a security manager you will have access to this mapping of names to Github usernames.

This is privileged information and the full document should not be shared with others. You should only be using it to help triage or resolve security incidents. For all other issues, seek help from the Axim Engineering team.

  1. Go to https://github.com/openedx/openedx-webhooks-data/blob/main/salesforce-export.csv

  2. Look up the name or GitHub username.