...
- Someone reports an issue to security@bahmni.org
- A member of the list will acknowledge receipt
- The issue/fix is discussed on private channels, e.g. on the security@bahmni.org list +/- the original reporter, in person, or via private slack messages.
- Decision on the threat level.
- Determination of an immediate remediation that can be applied (e.g. changing a config setting, stopping a service)
- If it’s a bug in an upstream service (e.g. OpenMRS Platform), then it will be reported there (the reporter will be notified)
- Discussions are private amongst trusted devs, until a remediation in place we avoid sharing any details of the available exploit
- If there is an immediate remediation available, then a security advisory communication is sent to the security-announcements list (security-announcements@bahmni.org) giving the details of the issue, and the remediation.
- The security-announcements list is for select subscribers, and inclusion in that is purely upto discretion of the team leads.
- Security group creates a JIRA ticket with the appropriate 'security level' (The new ticket is not public)
- The issue will be worked on without publicly acknowledging this (i.e. without giving concrete details on public slack channels, public Talk forums, or publicly-visible JIRA tickets
- Fix is applied, tested (preferably with the reporter), and a patch release is done.
- Security Group releases a security advisory to the bahmni-coalition and the security-announcements list giving details of how to apply the fix.
- Security Group communicates this security advisory publicly, and sets the JIRA ticket visibility to public.
| Info |
|---|
For Reference: OpenMRS security advisory page: https://wiki.openmrs.org/display/docs/Managing+Security+Vulnerabilities+in+OpenMRS |