[Security] Security process & documentation — vulnerability disclosure, release security gate, policies #151

Open
opened 2026-07-03 10:30:31 +00:00 by jabber.developer2 · 0 comments
Collaborator

Security governance: a real vulnerability-disclosure process and release-security step, plus logging/secure-configuration/traceability documentation (most governance items are triaged W).

Part of #144. Decision legend: M must-do, C could-do, W won't-do (this cycle); investigate = verify the problem is real / scope it before implementing.

Subtasks & findings

T18 — Vulnerability-disclosure & release-security process

Owner: Either · Decision: M / C · Effort: VUL-01/04 ~0.5–1d; CIS-02 ~1w+

Flesh out SECURITY.md + release security step (M); full vuln-mgmt process (CIS-02, C).

  • REQ-VUL-01 (high · m) — SECURITY.md is 7 lines (contact+PGP only) — no supported versions/scope/SLA
    • Evidence: SECURITY.md:1-7
    • Fix: Add Supported Versions, in/out-of-scope, ack+remediation SLA, coordinated-disclosure terms, owners (shares changelog step with REQ-VUL-04)
    • Maps to: NIST RS.MA-01/ID.IM-01/GV.RR-02/GV.OC-02; ISO A.5.5/A.5.26/A.8.8/A.5.2; CIS 7.1/16.2
  • REQ-VUL-04 (medium · m) — No per-release Security/CVE changelog convention; RELEASE_GUIDE has no security step
    • Evidence: RELEASE_GUIDE.md (no security step)
    • Fix: Add a pre-tag CHANGELOG Security/CVE review step + a one-line changelog convention (shared with REQ-VUL-01)
    • Maps to: NIST RC.RP-05/ID.IM-04; ISO A.8.8/A.5.26; CIS 7.2/16.3
  • REQ-CIS-02 (high · c) — No documented vuln accept/severity-rate/remediate process (SLA, RCA, release gate) (merges CIS-7.2/16.6)
    • Evidence: SECURITY.md contact-only; RELEASE_GUIDE.md no security step
    • Fix: Author intake/triage, CVSS-aligned severity, remediation SLA, per-fix RCA+regression test, release gate blocking tags on open criticals
    • Maps to: CIS 7.1/7.2/16.2/16.6/18.3; NIST RS.MA-01/ID.IM-01/02; ISO A.5.5/A.5.26/A.8.8

T19 — Security docs & governance

Owner: Either · Decision: M + mostly W · Effort: ~0.5d (CIS-05); rest W

CIS-05 short logging note to CONTRIBUTING.md (M); CIS-06/07, SDLC-03/06 = W.

  • REQ-CIS-05 (medium · m (short 1-2 paragraphs to CONTRIBUTING.md so AI can understand WARN/Debug level)) — No documented application logging policy (events/levels/no-secrets/retention) (merges CIS-8.1)
    • Evidence: no logging policy in compliance/ or docs/
    • Fix: Add a logging-policy doc (WARN+ events, no-secrets constraint, default level, rotation, 0600); add CI grep on log_* interpolation of secrets
    • Maps to: CIS 8.1/8.5; NIST PR.PS-04/DE.AE-02; ISO A.8.15/A.8.16
  • REQ-CIS-06 (medium · w) — No documented secure-configuration/hardening baseline
    • Evidence: docs/ holds only man pages
    • Fix: Add docs/SECURE-CONFIGURATION.md: shipped defaults + rationale, minimal-surface build, hardening-template pointer, review cadence
    • Maps to: CIS 4.1/16.7; NIST PR.PS-01/GV.PO-01; ISO A.8.9/A.8.27
  • REQ-SDLC-06 (medium · w) — No invariant→test REQ-ID traceability matrix
    • Evidence: no compliance/REQ-TO-TEST.md
    • Fix: Author compliance/REQ-TO-TEST.md mapping each REQ to concrete tests and flagging uncovered REQs (cross-referencing labor)
    • Maps to: NIST GV.PO-01/PR.DS-02/GV.SC-04; ISO A.5.8/A.8.25; CIS 16.10/16.14
  • REQ-SDLC-03 (medium · w) — No CODEOWNERS; commitlint config dormant/unreferenced
    • Evidence: .commitlintrc.json unreferenced; no .github/CODEOWNERS
    • Fix: Add CODEOWNERS for crypto/TLS/plugin/AI dirs; add a Node-bootstrap commitlint CI job (no package.json today)
    • Maps to: NIST GV.RR-02/PR.PS-06/ID.IM-03; ISO A.5.8/A.8.25/A.8.32
  • REQ-CIS-07 (low · w) — Production/non-production data separation not stated as a normative control
    • Evidence: stabber harness satisfies it; no normative home
    • Fix: State the no-real-data/isolated-XDG/localhost-only rule; add a CI grep on absolute $HOME/non-localhost hosts in tests
    • Maps to: CIS 16.8; NIST PR.IR-01/ID.AM-08; ISO A.8.31/A.8.29

Checklist

T18 — Vulnerability-disclosure & release-security process

  • REQ-VUL-01 · high · M — SECURITY.md is 7 lines (contact+PGP only) — no supported versions/scope/SLA
  • REQ-VUL-04 · medium · M — No per-release Security/CVE changelog convention; RELEASE_GUIDE has no security step
  • REQ-CIS-02 · high · C — No documented vuln accept/severity-rate/remediate process (SLA, RCA, release gate) (merges CIS-7.2/16.6)

T19 — Security docs & governance

  • REQ-CIS-05 · medium · M — No documented application logging policy (events/levels/no-secrets/retention) (merges CIS-8.1)
  • REQ-CIS-06 · medium · W — No documented secure-configuration/hardening baseline (W — optional/defer)
  • REQ-SDLC-06 · medium · W — No invariant→test REQ-ID traceability matrix (W — optional/defer)
  • REQ-SDLC-03 · medium · W — No CODEOWNERS; commitlint config dormant/unreferenced (W — optional/defer)
  • REQ-CIS-07 · low · W — Production/non-production data separation not stated as a normative control (W — optional/defer)

Notes

  • Deferred (W) — safe to split out or postpone: REQ-CIS-06, REQ-SDLC-06, REQ-SDLC-03, REQ-CIS-07.
Security governance: a real vulnerability-disclosure process and release-security step, plus logging/secure-configuration/traceability documentation (most governance items are triaged W). Part of #144. Decision legend: **M** must-do, **C** could-do, **W** won't-do (this cycle); *investigate* = verify the problem is real / scope it before implementing. ## Subtasks & findings ### T18 — Vulnerability-disclosure & release-security process _Owner:_ Either · _Decision:_ M / C · _Effort:_ VUL-01/04 ~0.5–1d; CIS-02 ~1w+ Flesh out SECURITY.md + release security step (M); full vuln-mgmt process (CIS-02, C). - **REQ-VUL-01** (high · _m_) — SECURITY.md is 7 lines (contact+PGP only) — no supported versions/scope/SLA - Evidence: `SECURITY.md:1-7` - Fix: Add Supported Versions, in/out-of-scope, ack+remediation SLA, coordinated-disclosure terms, owners (shares changelog step with REQ-VUL-04) - Maps to: NIST RS.MA-01/ID.IM-01/GV.RR-02/GV.OC-02; ISO A.5.5/A.5.26/A.8.8/A.5.2; CIS 7.1/16.2 - **REQ-VUL-04** (medium · _m_) — No per-release Security/CVE changelog convention; RELEASE_GUIDE has no security step - Evidence: `RELEASE_GUIDE.md (no security step)` - Fix: Add a pre-tag CHANGELOG Security/CVE review step + a one-line changelog convention (shared with REQ-VUL-01) - Maps to: NIST RC.RP-05/ID.IM-04; ISO A.8.8/A.5.26; CIS 7.2/16.3 - **REQ-CIS-02** (high · _c_) — No documented vuln accept/severity-rate/remediate process (SLA, RCA, release gate) (merges CIS-7.2/16.6) - Evidence: `SECURITY.md contact-only; RELEASE_GUIDE.md no security step` - Fix: Author intake/triage, CVSS-aligned severity, remediation SLA, per-fix RCA+regression test, release gate blocking tags on open criticals - Maps to: CIS 7.1/7.2/16.2/16.6/18.3; NIST RS.MA-01/ID.IM-01/02; ISO A.5.5/A.5.26/A.8.8 ### T19 — Security docs & governance _Owner:_ Either · _Decision:_ M + mostly W · _Effort:_ ~0.5d (CIS-05); rest W CIS-05 short logging note to CONTRIBUTING.md (M); CIS-06/07, SDLC-03/06 = W. - **REQ-CIS-05** (medium · _m (short 1-2 paragraphs to CONTRIBUTING.md so AI can understand WARN/Debug level)_) — No documented application logging policy (events/levels/no-secrets/retention) (merges CIS-8.1) - Evidence: `no logging policy in compliance/ or docs/` - Fix: Add a logging-policy doc (WARN+ events, no-secrets constraint, default level, rotation, 0600); add CI grep on log_* interpolation of secrets - Maps to: CIS 8.1/8.5; NIST PR.PS-04/DE.AE-02; ISO A.8.15/A.8.16 - **REQ-CIS-06** (medium · _w_) — No documented secure-configuration/hardening baseline - Evidence: `docs/ holds only man pages` - Fix: Add docs/SECURE-CONFIGURATION.md: shipped defaults + rationale, minimal-surface build, hardening-template pointer, review cadence - Maps to: CIS 4.1/16.7; NIST PR.PS-01/GV.PO-01; ISO A.8.9/A.8.27 - **REQ-SDLC-06** (medium · _w_) — No invariant→test REQ-ID traceability matrix - Evidence: `no compliance/REQ-TO-TEST.md` - Fix: Author compliance/REQ-TO-TEST.md mapping each REQ to concrete tests and flagging uncovered REQs (cross-referencing labor) - Maps to: NIST GV.PO-01/PR.DS-02/GV.SC-04; ISO A.5.8/A.8.25; CIS 16.10/16.14 - **REQ-SDLC-03** (medium · _w_) — No CODEOWNERS; commitlint config dormant/unreferenced - Evidence: `.commitlintrc.json unreferenced; no .github/CODEOWNERS` - Fix: Add CODEOWNERS for crypto/TLS/plugin/AI dirs; add a Node-bootstrap commitlint CI job (no package.json today) - Maps to: NIST GV.RR-02/PR.PS-06/ID.IM-03; ISO A.5.8/A.8.25/A.8.32 - **REQ-CIS-07** (low · _w_) — Production/non-production data separation not stated as a normative control - Evidence: `stabber harness satisfies it; no normative home` - Fix: State the no-real-data/isolated-XDG/localhost-only rule; add a CI grep on absolute $HOME/non-localhost hosts in tests - Maps to: CIS 16.8; NIST PR.IR-01/ID.AM-08; ISO A.8.31/A.8.29 ## Checklist **T18 — Vulnerability-disclosure & release-security process** - [ ] **REQ-VUL-01** · high · M — SECURITY.md is 7 lines (contact+PGP only) — no supported versions/scope/SLA - [ ] **REQ-VUL-04** · medium · M — No per-release Security/CVE changelog convention; RELEASE_GUIDE has no security step - [ ] **REQ-CIS-02** · high · C — No documented vuln accept/severity-rate/remediate process (SLA, RCA, release gate) (merges CIS-7.2/16.6) **T19 — Security docs & governance** - [ ] **REQ-CIS-05** · medium · M — No documented application logging policy (events/levels/no-secrets/retention) (merges CIS-8.1) - [ ] **REQ-CIS-06** · medium · W — No documented secure-configuration/hardening baseline _(W — optional/defer)_ - [ ] **REQ-SDLC-06** · medium · W — No invariant→test REQ-ID traceability matrix _(W — optional/defer)_ - [ ] **REQ-SDLC-03** · medium · W — No CODEOWNERS; commitlint config dormant/unreferenced _(W — optional/defer)_ - [ ] **REQ-CIS-07** · low · W — Production/non-production data separation not stated as a normative control _(W — optional/defer)_ ## Notes - **Deferred (W)** — safe to split out or postpone: REQ-CIS-06, REQ-SDLC-06, REQ-SDLC-03, REQ-CIS-07.
jabber.developer added the
Kind/Security
Priority
Medium
3
labels 2026-07-03 10:32:13 +00:00
jabber.developer added this to the Plans (2025-2026) project 2026-07-03 10:32:19 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: devs/cproof#151
No description provided.