Security - Reporting and Discussion

Security issues in Bahmni should be reported; and discussed in private, and only disclosed publicly when we have a fix in place. Security issues in Bahmni should be reported to the security@bahmni.org mailing list. An acknowledgement will be sent to the reporter. Discussion of the details of the issue should take place on this list +/- the reporter. This list is made up of trusted developers. (“Trusted developer” is a qualitative judgment, and it’s ultimately up to the discretion of the dev team leads)

Process

  1. Someone reports an issue to security@bahmni.org
  2. A member of the list will acknowledge receipt
  3. The issue/fix is discussed on private channels, e.g. on the security@bahmni.org list +/- the original reporter, in person, or via private slack messages.
    • Decision on the threat level. 
    • Determination of an immediate remediation that can be applied (e.g. changing a config setting, stopping a service)
    • If it’s a bug in an upstream service (e.g. OpenMRS Platform), then it will be reported there (the reporter will be notified) 
    • Discussions are private amongst trusted devs, until a remediation in place we avoid sharing any details of the available exploit
  4. If there is an immediate remediation available, then a security advisory communication is sent to the security-announcements list (security-announcements@bahmni.org) giving the details of the issue, and the remediation.
    • The security-announcements list is for select subscribers, and inclusion in that is purely upto discretion of the team leads.
  5. Security group creates a JIRA ticket with the appropriate 'security level' (The new ticket is not public)
  6. The issue will be worked on without publicly acknowledging this (i.e. without giving concrete details on public slack channels, public Talk forums, or publicly-visible JIRA tickets
  7. Fix is applied, tested (preferably with the reporter), and a patch release is done. 
  8. Security Group releases a security advisory to the bahmni-coalition and the security-announcements list giving details of how to apply the fix. 
  9. Security Group communicates this security advisory publicly, and sets the JIRA ticket visibility to public.