Security - Reporting and Discussion
Security issues in Bahmni should be reported; and discussed in private, and only disclosed publicly when we have a fix in place. Security issues in Bahmni should be reported to the security@bahmni.org mailing list. An acknowledgement will be sent to the reporter. Discussion of the details of the issue should take place on this list +/- the reporter. This list is made up of trusted developers. (“Trusted developer” is a qualitative judgment, and it’s ultimately up to the discretion of the dev team leads)
Process
- Someone reports an issue to security@bahmni.org
- A member of the list will acknowledge receipt
- The issue/fix is discussed on private channels, e.g. on the security@bahmni.org list +/- the original reporter, in person, or via private slack messages.
- Decision on the threat level.
- Determination of an immediate remediation that can be applied (e.g. changing a config setting, stopping a service)
- If it’s a bug in an upstream service (e.g. OpenMRS Platform), then it will be reported there (the reporter will be notified)
- Discussions are private amongst trusted devs, until a remediation in place we avoid sharing any details of the available exploit.
- Only people in JIRA group (Core-Team) have access to JIRA tickets for "Security".
- If there is an immediate remediation available, then a security advisory communication is sent to the security-announcements list (security-announcements@bahmni.org) giving the details of the issue, and the remediation.
- The security-announcements list is for select subscribers, and inclusion in that is purely upto discretion of the team leads.
- Security group creates a JIRA ticket with the appropriate 'security level' (The new ticket is not public)
- The issue will be worked on without publicly acknowledging this (i.e. without giving concrete details on public slack channels, public Talk forums, or publicly-visible JIRA tickets
- Fix is applied, tested (preferably with the reporter), and a patch release is done.
- Security Group releases a security advisory to the bahmni-coalition and the security-announcements list giving details of how to apply the fix.
- Security Group communicates this security advisory publicly, and sets the JIRA ticket visibility to public.
For Reference: OpenMRS security advisory page: https://wiki.openmrs.org/display/docs/Managing+Security+Vulnerabilities+in+OpenMRS
The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)