Security Playbooks – for Security WG members

Owned by Phillip Shiu (Deactivated)
Last updated: Aug 06, 2024 by Feanil Patel
7 min read

Identify the owner of a repo

  • Check the catalog-info.yaml file.

  • Search for CODEOWNER files in the repo.

  • Ask someone from edx.org/2U to consult the 2U Ownership Spreadsheet.

  • Ask the PR Triage CCs for help routing to the correct owners.

Onboard or offboard a working group member

Add/remove in:

https://openedx.slack.com/archives/C048EGU3X2B
Add or remove the member to the on-call calendar
Update the weekly checking reminder Slack Workflow
In slack side-bar in the Automations → Workflows → wg-security Weekly Update

Add in (no removal necessary):

Triage security@openedx.org emails

When you’re on-call, you must reply to emails sent to security@openedx.org.

Reply as security@openedx.com

You should receive all emails sent to security@openedx.org in your work email.

Use the Google Groups web interface to reply as

Always change the “From:” field to security@openedx.org every time.

Assign emails to responders

Assign yourself to emails:

  • Received while you’re on-call

  • That you’re taking care of

In https://groups.google.com/a/openedx.org/g/security, click on a message, then click on the “Assign to someone” button:

Follow up

Please follow up periodically to all emails assigned to you. Why:

  • Remind the reporter you need more information.

  • Reassure the reporter we are looking at the issue.

If you need to, handoff the email to another working group member. Don’t forget to re-assign it to them.

Close out

If the email requires no further follow up, use one of these buttons to close out a message:

  • Complete: You did work on the message, even if it was only investigation.

  • Duplicate: The message is entirely covered by another message.

    • Google Groups will ask you for the URL of original message. Fill it in.

  • No Action Needed: The message is frivolous, spam, or frivolous spam.

What to say

Our tone: direct, professional, but kind.

Tip: Hover over the right end of the response block to see a “Copy as text” button:

See https://openedx.atlassian.net/wiki/spaces/COMM/pages/3624140816/Security+Working+Group+Private#Common-Issues & add to them!

  • Acknowledge the email quickly:

    • Thank you for your email. We will investigate.

  • Common inquiries & template responses:

    • Duplicates:

      • Thank you for your report. This is a duplicate of an earlier report that we are reviewing.

    • No update yet:

      • Hello, We are continuing to investigate this report and will reach out to you when we have reached a resolution. Thank you.

    • Need proof of concept:

    • Confirm correct destination:

    • Bug bounty:

  • Inapplicable reports/inquires

    • Intentionally open source:

  • Close out the email thread.

    • Forwarded to an operator or Axim:

    • Not a security issue:

    • Verified vulnerability:

What to do

under construction

Forward a report to an operator or Axim

If a report applies only to a particular operator or to Axim:

  1. Find the operator’s contact information at https://openedx.atlassian.net/wiki/spaces/COMM/pages/3624140816/Security+Working+Group+Private#Contacts

  2. “Forward” report to the operator from the Google Groups web interface

    1. Click on “Reply all” at the bottom of the email thread.

    2. Change sender to “security@openedx.org”

    3. Clear Cc: field to remove reporter’s email(s)

    4. Add operator’s email to Cc: field

    5. Change the subject prefix from “Re:” to “Fwd:”

    6. Check any relevant attachments are still included.

    7. Include a blurb, like below:

    8. Post message

  3. Reply all to the reporter’s original email so the email to the operator is not included in the thread.

    1. The Reply all button should look like the above and is to the right of the header of the reporter’s original email.

    2. Check the sender is still “security@openedx.org”

    3. Click on the … at the bottom of the draft to check other emails are not included in the reply.

    4. Include a blurb, like below:

For more information on why we provide this service, see For operators and “Guidance for Operators” in https://open-edx-proposals.readthedocs.io/en/latest/processes/oep-0060-proc-sec-group.html#guidance-for-operators.

Respond to a security disclosure

A security disclosure is someone emailing to report a security vulnerability in Open edX software.

Our job:

Give security advice

under construction

Process suggestions for security improvements

In our GitHub Project:

  1. Decide whether the suggestion is worth accepting.

    • If in doubt, create a ticket titled “Discuss […]”

  2. Consider whether the suggestion can be made public.

  3. Search for existing, similar suggestions.

  4. Create or comment on the issue for the suggestion.

    • Add a link to the Google Groups message

    • To add an issue:

      • Select “Convert to issue” and add the issue to the wg-security repo. [GitHub docs]

  5. Reply to the reporter:

  6. If a new issue, notify #wg-security:

Map a Name to a Github Username

It’s generally useful to be able to either map real names to GitHub usernames or map GitHub user names from a catalog-info.yaml file to real names so that we can contact maintainers via other communication channels (Email, slack, Discourse, etc.)

As a security manager you will have access to this mapping of names to Github usernames.

This is privileged information and the full document should not be shared with others. You should only be using it to help triage or resolve security incidents. For all other issues, seek help from the Axim Engineering team.

  1. Go to https://github.com/openedx/openedx-webhooks-data/blob/main/salesforce-export.csv

  2. Look up the name or GitHub username.