Security Playbooks – for Security WG members
- 1 Identify the owner of a repo
- 2 Onboard or offboard a working group member
- 3 Triage security@openedx.org emails
- 3.1 Reply as security@openedx.com
- 3.2 Assign emails to responders
- 3.3 Follow up
- 3.4 Close out
- 3.5 What to say
- 3.6 What to do
- 4 Forward a report to an operator or Axim
- 5 Respond to a security disclosure
- 6 Give security advice
- 7 Process suggestions for security improvements
- 8 Map a Name to a Github Username
Identify the owner of a repo
Check the
catalog-info.yaml
file.Search for
CODEOWNER
files in the repo.Ask someone from edx.org/2U to consult the 2U Ownership Spreadsheet.
Ask the PR Triage CCs for help routing to the correct owners.
Onboard or offboard a working group member
Add/remove in:
Add in (no removal necessary):
Triage security@openedx.org emails
When you’re on-call, you must reply to emails sent to security@openedx.org.
Reply as security@openedx.com
You should receive all emails sent to security@openedx.org in your work email.
Use the Google Groups web interface to reply as
Always change the “From:” field to security@openedx.org every time.
Assign emails to responders
Assign yourself to emails:
Received while you’re on-call
That you’re taking care of
In Google Groups, click on a message, then click on the “Assign to someone” button:
Follow up
Please follow up periodically to all emails assigned to you. Why:
Remind the reporter you need more information.
Reassure the reporter we are looking at the issue.
If you need to, handoff the email to another working group member. Don’t forget to re-assign it to them.
Close out
If the email requires no further follow up, use one of these buttons to close out a message:
Complete: You did work on the message, even if it was only investigation.
Duplicate: The message is entirely covered by another message.
Google Groups will ask you for the URL of original message. Fill it in.
No Action Needed: The message is frivolous, spam, or frivolous spam.
What to say
Our tone: direct, professional, but kind.
Tip: Hover over the right end of the response block to see a “Copy as text” button:
See https://openedx.atlassian.net/wiki/spaces/COMM/pages/3624140816/Security+Working+Group+Private#Common-Issues & add to them!
Acknowledge the email quickly:
Thank you for your email. We will investigate.
Common inquiries & template responses:
Duplicates:
Thank you for your report. This is a duplicate of an earlier report that we are reviewing.
No update yet:
Hello, We are continuing to investigate this report and will reach out to you when we have reached a resolution. Thank you.
Need proof of concept:
Confirm correct destination:
Bug bounty:
Inapplicable reports/inquires
Intentionally open source:
Close out the email thread.
Forwarded to an operator or Axim:
Re-send this email if the reporter continues to inquire about the operator’s contact information.
See Forward a report to an operator or Axim, below.
Not a security issue:
Verified vulnerability:
What to do
under construction
Forward a report to an operator or Axim
If a report applies only to a particular operator or to Axim:
Find the operator’s contact information at https://openedx.atlassian.net/wiki/spaces/COMM/pages/3624140816/Security+Working+Group+Private#Contacts
“Forward” report to the operator from the Google Groups web interface
Click on “Reply all” at the bottom of the email thread.
Change sender to “security@openedx.org”
Clear Cc: field to remove reporter’s email(s)
Add operator’s email to Cc: field
Change the subject prefix from “Re:” to “Fwd:”
Check any relevant attachments are still included.
Include a blurb, like below:
Post message
Reply all to the reporter’s original email so the email to the operator is not included in the thread.
The Reply all button should look like the above and is to the right of the header of the reporter’s original email.
Check the sender is still “security@openedx.org”
Click on the … at the bottom of the draft to check other emails are not included in the reply.
Include a blurb, like below:
For more information on why we provide this service, see For operators and “Guidance for Operators” in OEP-60 Open Source Security Working Group — Open edX Proposals 1.0 documentation.
Respond to a security disclosure
A security disclosure is someone emailing to report a security vulnerability in Open edX software.
Our job:
Verify a security vulnerability exists
Find who owns the code
Playbook: 🔍 Identify the owner of a repo
Create a GitHub Security Advisory (GHSA) for the affected repositories
Add: Title, Description, Ecosystem, and use CVSS Calculator
Ecosystem: npm or pip if applicable, otherwise None
Add the owners/team of the repo to the GitHub Security Advisory:
Share link to draft security advisory to #wg-security-private & get a thumb
Email the maintainer:
Send from Google Groups:
Click on “New conversation”:
You should see a box like this pop up:
Include the severity rating (low, medium, high, or critical) provided by the CVSS calculator on the GitHub Security Advisory.
Template:
Give security advice
under construction
Process suggestions for security improvements
In our GitHub Project:
Decide whether the suggestion is worth accepting.
If in doubt, create a ticket titled “Discuss […]”
Consider whether the suggestion can be made public.
If not, raise in #wg-security-private for next steps.
Search for existing, similar suggestions.
Create or comment on the issue for the suggestion.
Add a link to the Google Groups message
To add an issue:
Select “Convert to issue” and add the issue to the wg-security repo. [GitHub docs]
Reply to the reporter:
If a new issue, notify #wg-security:
Map a Name to a Github Username
It’s generally useful to be able to either map real names to GitHub usernames or map GitHub user names from a catalog-info.yaml
file to real names so that we can contact maintainers via other communication channels (Email, slack, Discourse, etc.)
As a security manager you will have access to this mapping of names to Github usernames.
This is privileged information and the full document should not be shared with others. You should only be using it to help triage or resolve security incidents. For all other issues, seek help from the Axim Engineering team.
Go to https://github.com/openedx/openedx-webhooks-data/blob/main/salesforce-export.csv
Look up the name or GitHub username.