Members of the team are independent and security-minded people who ensure that vulnerabilities are dealt with in a timely manner and that downstream stakeholders are notified in a coordinated and fair manner.Social learning theory social cognitive theory where a member of the team is employed by a downstream stakeholder, the member does not give their employer prior notice of any vulnerabilities.Social learning theory social cognitive theory in order to reduce the disclosure of a vulnerability in the early stages, membership of this team is intentionally limited to a small number of people.Social learning theory social cognitive theory

This activity is approved and supported by the ONAP TSC and operates under the ONAP vulnerability sub-committee. The sub-committee functions are as described below.Social learning theory social cognitive theory the committee has a chair, appointed by the membership from among the membership, who is responsible for seeing that work proceeds and serves as a point of contact for the TSC and community to the vulnerability sub-committee.Social learning theory social cognitive theory the chair and membership, as well as pointers to this charter and the relevant email lists are document at link-to-page. Supported projects and versions

social learning theory social cognitive theory

As ONAP is very young project with a lot of code coming in every release. Even through we are interested in receiving bugs for all ONAP releases that are currently in use, we will develop patches ONLY FOR THE LATEST RELEASE and FOR THE MASTER BRANCH (next version under development) .Social learning theory social cognitive theory unfortunately ensuring security in very early stages of the project is not always possible, that is why we declare three first releases (amsterdam, beijing, casablanca) as unsupported in terms of security bug fixes.Social learning theory social cognitive theory dublin is going to be first version that will be supported as described by above rule. Third party components

The bug must then be confirmed to be a security problem and assigned initial severity level.Social learning theory social cognitive theory this may require the inclusion of additional subject matter experts to determine if the problem needs to be treated as a security flaw. If the bug is determined not be a security issue then a statement should be added indicating the justification.Social learning theory social cognitive theory the bug should then be opened and fixed by following the normal development process. Steps to be completed

The PTL or project security contact point is responsible for fixing the bug or delegating the work to the subject matter experts.Social learning theory social cognitive theory even through patch development can be delegated by PTL or project security contact, only the VMS has a right to add new people to the ticket.Social learning theory social cognitive theory thus, the PTL should explicitly request access for additional developers by adding a comment with their LFID.

Security fixes, especially critical should be treated as highest-priority tasks.Social learning theory social cognitive theory if project delays are encountered at this or any subsequent stage of the process, the VMS and other interested parties may escalate the issue to the TSC but without providing any details on bug itself apart from reporter, severity, impacted project and versions.Social learning theory social cognitive theory steps to be completed

If reporter did not request for a CVE number on his or her own, VMS coordinator should attempt to obtain one to ensure full traceability.Social learning theory social cognitive theory this is generally done as the patch gets nearer to final approval. The approved impact description is submitted through MITRE’s CVE request form.Social learning theory social cognitive theory the request type is request a CVE ID, the e-mail address should be that of the requester, and for critical reports the coordinator’s openpgp key should be pasted into the field provided.Social learning theory social cognitive theory

In the required section set the check boxes indicating the product is not CNA-covered and that no prior CVE ID has been assigned, select an appropriate vulnerability type (using other or unknown to enter a free form type if there is nothing relevant on the drop-down), set the vendor to ONAP, and the product and version fields to match the affected project name and version from the impact description.Social learning theory social cognitive theory in the optional section set the radio button for confirmed/acknowledged to yes, choose an appropriate attack type in the drop-down (often this is context-dependent for our cases), check the relevant impact checkboxes, attempt to fill in the affected components and attack vector fields if possible, paste in the suggested description from the prose of the impact description (usually omitting the first sentence as it’s redundant with other fields), put the $CREDIT details in the discoverer/credits field, and the bug URL (along with gerrit urls for patches if already public) in the references field.Social learning theory social cognitive theory if the report is still private, note that in the additional information field like this report is currently under embargo and no disclosure date has been scheduled at this time.Social learning theory social cognitive theory

Once the patches are approved and the CVE is assigned, a signed email with the vulnerability description is sent to the downstream stakeholders by VMS coordinator or other designated VMS member.Social learning theory social cognitive theory the disclosure date is set to 3-5 business days, excluding monday/friday and holiday periods, at 1400 UTC. No stakeholder is supposed to deploy public patches before disclosure date.Social learning theory social cognitive theory

MITRE’s CVE request form should be used again at this point, but instead select a request type of notify CVE about a publication and fill in the coordinator’s e-mail address, provide a link to the advisory (the URL to official OSA), the CVE ids covered, and the date published.Social learning theory social cognitive theory once more, fill in the security code at the bottom of the page and submit request. Steps to be completed

There will be occasions where the vulnerability management process is not followed and the issue is publicly disclosed before reporting it to the vulnerability subcommittee.Social learning theory social cognitive theory in this case it's important to properly identify the issue and create a task to make it traceable. As the flaw has been already disclosed there is no need to keep the jira ticket private so it should be set to publicly available in a very beginning of the process.Social learning theory social cognitive theory in general, standard vulnerability management process should be followed, just embargoed disclosure should be skipped. Steps to be executed: