[SSDF Epic] RV: Assess, prioritize and remediate vulnerabilities

[jiekang]

This issue tracks the RV SSDF items and will also contain more detail for them:

Work that addresses these items can reference this epic issue.

• RV.1.1: Gather information on potential vulnerabilities
  1. Adoptium will maintain and adhere to process documentation describing how it gathers information about vulnerabilities.
• RV.1.3: Have a team and process in place to manage vulnerability reports and incidents
  1. Adoptium will have a security group (ASG) that maintains documentation describing its mission and responsibilities, as well as adhering to a documented incident response plan which details how the organization manages vulnerabilities.
• RV.2.1: Analyze each vulnerability
  1. ASG will maintain process documentation as part of the incident response plan detailing how vulnerabilities are analyzed once they come to Red Hat’s attention.
  2. Each identified vulnerability will be analyzed by ASG in accordance with the defined workflow, and the appropriate information will be provided to the offering team for further action.
• RV.2.2: Plan and implement risk responses for vulnerabilities
  1. Adoptium contributors must adhere to the ASG standards when remediating vulnerabilities in their offerings, following the workflow outlined in the incident response plan.
  2. Each vulnerability will be handled by contributors in accordance with the documented incident response plan and the offering’s vulnerability process documentation, and be tracked in an approved tracking tool.
• RV.3.1: Conduct root cause analysis
  1. ASG will provide Common Weakness Enumeration (CWE) information as part of all vulnerability analysis
• RV.3.2: Mitigate root causes
  1. Adoptium contributors will resolve additional identified occurrences of a vulnerability rated Critical or Important prior to the next release, in accordance with their root cause analysis process.
• RV.3.3: Proactively check for similar vulnerability instances
  1. For resolved vulnerabilities rated Critical or Important, Adoptium contributors will review similar functional areas of the offering in accordance with their root cause analysis process to determine if additional occurrences of the vulnerability exist.

[smlambert]

For RV1.3, we utilize the Eclipse Foundation structure for reporting and handling vulnerabilities, as shared in the Security section of every Adoptium repository, where the security policy is referenced, for example https://github.com/adoptium/adoptium/security/policy and if there are any security advisories, those can be viewed by the project leads.

As per the Security policy, reports can be sent to Eclipse Security Team at security@eclipse.org. A delegate from the Adoptium PMC (currently Stewart Addison), is privy to reports sent to the Eclipse Security Team that are relevant to the Adoptium project(s).

A "Report a Vulnerability" link in the "Other" section of the footer on the adoptium.net website also directs people to report to the Eclipse Security Team.

[sxa]

Security policy is documented at https://github.com/adoptium/infrastructure/security/policy