Security Playbooks – for Security WG members

Identify the owner of a repo

  • Check the catalog-info.yaml file.

  • Search for CODEOWNER files in the repo.

  • Ask someone from to consult the 2U Ownership Spreadsheet.

  • Ask the PR Triage CCs for help routing to the correct owners.

Onboard or offboard a working group member

Add/remove in:
Welcome/farewell post in
Add or remove the member to the on-call calendar
Update the weekly checking reminder
/remind #wg-security-private every Wednesday at 10 am to Weekly Update! @feanil @alangston @pshiu @magajh • Update any issues you have on the [SWG Board]( • In this thread, let everyone know: ◦ In one sentence, what are you working on for SWG this week? ◦ Are you stuck on anything?

Add in (no removal necessary):

Triage emails

When you’re on-call, you must reply to emails sent to

Reply as

You should receive all emails sent to in your work email.

Use the Google Groups web interface to reply as

Always change the “From:” field to every time.

Assign emails to responders

Assign yourself to emails:

  • Received while you’re on-call

  • That you’re taking care of

In , click on a message, then click on the “Assign to someone” button:

Follow up

Please follow up periodically to all emails assigned to you. Why:

  • Remind the reporter you need more information.

  • Reassure the reporter we are looking at the issue.

If you need to, handoff the email to another working group member. Don’t forget to re-assign it to them.

Close out

If the email requires no further follow up, use one of these buttons to close out a message:

  • Complete: You did work on the message, even if it was only investigation.

  • Duplicate: The message is entirely covered by another message.

    • Google Groups will ask you for the URL of original message. Fill it in.

  • No Action Needed: The message is frivolous, spam, or frivolous spam.

What to say

Our tone: direct, professional, but kind.

Tip: Hover over the right end of the response block to see a “Copy as text” button:

See & add to them!

  • Acknowledge the email quickly:

    • Thank you for your email. We will investigate.
  • Common inquiries & template responses:

    • Duplicates:

      • Thank you for your report. This is a duplicate of an earlier report that we are reviewing.
    • No update yet:

    • Need proof of concept:

    • Confirm correct destination:

    • Bug bounty:

  • Inapplicable reports/inquires

    • Intentionally open source:

  • Close out the email thread.

    • Forwarded to an operator or Axim:

    • Not a security issue:

    • Verified vulnerability:

What to do

under construction

Forward a report to an operator or Axim

If a report applies only to a particular operator or to Axim:

  1. Find the operator’s contact information at

  2. “Forward” report to the operator from the Google Groups web interface

    1. Click on “Reply all” at the bottom of the email thread.

    2. Change sender to “”

    3. Clear Cc: field to remove reporter’s email(s)

    4. Add operator’s email to Cc: field

    5. Change the subject prefix from “Re:” to “Fwd:”

    6. Check any relevant attachments are still included.

    7. Include a blurb, like below:

    8. Post message

  3. Reply all to the reporter’s original email so the email to the operator is not included in the thread.

    1. The Reply all button should look like the above and is to the right of the header of the reporter’s original email.

    2. Check the sender is still “”

    3. Click on the … at the bottom of the draft to check other emails are not included in the reply.

    4. Include a blurb, like below:

For more information on why we provide this service, see and “Guidance for Operators” in .

Respond to a security disclosure

A security disclosure is someone emailing to report a security vulnerability in Open edX software.

Our job:

  • Verify a security vulnerability exists

  • Find who owns the code

  • Create a GitHub Security Advisory (GHSA) for the affected repositories

    • Add: Title, Description, Ecosystem, and use CVSS Calculator

      • Ecosystem: npm or pip if applicable, otherwise None

    • Add the owners/team of the repo to the GitHub Security Advisory:

  • Share link to draft security advisory to #wg-security-private & get a thumb

  • Email the maintainer:

    • Send from Google Groups:

      • Click on “New conversation”:

      • You should see a box like this pop up:

    • Include the severity rating (low, medium, high, or critical) provided by the CVSS calculator on the GitHub Security Advisory.

    • Template:

Give security advice

under construction

Process suggestions for security improvements

In our GitHub Project:

  1. Decide whether the suggestion is worth accepting.

    • If in doubt, create a ticket titled “Discuss […]”

  2. Consider whether the suggestion can be made public.

  3. Search for existing, similar suggestions.

  4. Create or comment on the issue for the suggestion.

    • Add a link to the Google Groups message

    • To add an issue:

      • Select “Convert to issue” and add the issue to the wg-security repo. [GitHub docs]

  5. Reply to the reporter:

  6. If a new issue, notify #wg-security:

Map a Name to a Github Username

It’s generally useful to be able to either map real names to GitHub usernames or map GitHub user names from a catalog-info.yaml file to real names so that we can contact maintainers via other communication channels (Email, slack, Discourse, etc.)

As a security manager you will have access to this mapping of names to Github usernames.

This is privileged information and the full document should not be shared with others. You should only be using it to help triage or resolve security incidents. For all other issues, seek help from the Axim Engineering team.

  1. Go to

  2. Look up the name or GitHub username.