Security issues in Bahmni should be reported; and discussed in private, and only disclosed publicly when we have a fix in place. Security issues in Bahmni should be reported to the firstname.lastname@example.org mailing list. An acknowledgement will be sent to the reporter. Discussion of the details of the issue should take place on this list +/- the reporter. This list is made up of trusted developers. (“Trusted developer” is a qualitative judgment, and it’s ultimately up to the discretion of the dev team leads)
- Someone reports an issue to email@example.com
- A member of the list will acknowledge receipt
- The issue/fix is discussed on private channels, e.g. on the firstname.lastname@example.org list +/- the original reporter, in person, or via private slack messages.
If there is an immediate remediation available, then a security advisory communication is sent to the security-announcements list (email@example.com) giving the details of the issue, and the remediation.
- Decision on the threat level.
- Determination of an immediate remediation that can be applied (e.g. changing a config setting, stopping a service)
- If it’s a bug in an upstream service (e.g. OpenMRS Platform), then it will be reported there (the reporter will be notified)
- Discussions are private amongst trusted devs, until a remediation in place we avoid sharing any details of the available exploit.
- Only people in JIRA group (Core-Team) have access to JIRA tickets for "Security".
Security group creates a JIRA ticket with the appropriate 'security level' (The new ticket is not public)The issue will be worked on without publicly acknowledging this (i.e. without giving concrete details on public slack channels, public Talk forums, or publicly-visible JIRA ticketsFix is applied, tested (preferably with the reporter), and a patch release is done. Security Group releases a security advisory to the bahmni-coalition and the security-announcements list giving details of how to apply the fix. Security Group communicates this security advisory publicly, and sets the JIRA ticket visibility to public.
- The security-announcements list is for select subscribers, and inclusion in that is purely upto discretion of the team leads.