Update Security policy for reporting critical vulnerabilities

[tonygermano]

See https://github.com/OpenIntegrationEngine/engine/blob/6ce3a9f0e3d84841f0b1e07c2808cf0bdb3d0a78/SECURITY.md

Need to determine:

• new destination email address or a different reporting mechanism
• who monitors those messages
• with whom is the information shared

[pacmano1]

We can setup security@openintegrationengine.org and it can be forwreded - perhaps email forwalrd to trusted group only to their desired email address. Need OK from you all.

[kpalang]

I propose setting up the email @pacmano1 mentioned and give Steering Committee members read-only access to it. I have an email client open at all times anyway so monitoring is no issue for me.

[gibson9583]

Agree with the above

[tonygermano]

I approve Paul and Kaur's proposals

[pacmano1]

Mailbox created, albeit not read only.

Credentials shared with @kpalang, please message me via PM on Discord w/email address to share creds to you.

[tonygermano]

Email solution as previously discussed has been implemented and document updated in OpenIntegrationEngine/engine#80

A more integrated way of handling this within github is described here, and I think we should work towards using this as the preferred solution.
https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability

[PBRichardson]

I'm keen to see an overall policy written to address vulnerabilities. Topics to cover should include:

• How are vulnerabilities in 3rd party JARs identified; e.g. scanning CVEs etc as they're issued
• How do we ensure that PR reviews minimise the possible introduction of vulnerabilities.
• How do we publicise vulnerabilities when we detect them (a mailing list and web page presumably)
• How do we supervise the patch and release process for vulnerabilities

I'm happy to contribute; I'm not just looking to create work :-)

[PBRichardson]

Hi all,
Just picking up this thread. Does anyone know when the last time a scan (manual or auto) of the libs that OIE was done to check for versions that have declared vulnerabilities?
As I said in my previous post, if it's felt to be necessary. I can devote some resource to getting this done and turning it into a process going forward.

[pacmano1]

This is one I did a second ago (html file in the zip file since GH won't let me upload an HTML file).

A process moving forward to produce these kind of artifact it helpful - but the harder work effort is fixing the code.

dependency-check-report.html.zip

[PBRichardson]

Fabulously helpful, @pacmano1 , thanks. I suspect that many of these will be resolved just through using the latest versions. I can get my team to work on this to see what the actions are for each.