Vulnerability Management

Introduction

Vulnerability management is a critical component of the security strategy for Open OnDemand. This document outlines the procedures for reporting and managing vulnerabilities.

Reporting a Vulnerability

If you have security concerns or think you have found a vulnerability, please submit a private report by visiting the ‘Security’ section of our GitHub located at GitHub Open OnDemand Security and clicking ‘Report a vulnerability’.

For direct inquiries or issues in submitting a report, contact the core project team via email at security@openondemand.org.

Disclosure Policy

  • Upon reporting, you will receive a response within hours, acknowledging the receipt of the report.

  • A primary handler from the team will be assigned to coordinate the fix and release process:

  • Confirm the problem and determine the affected versions (1-2 days).

  • Audit code to find any potential similar problems.

  • Prepare fixes for all releases still under maintenance and release as soon as possible.

Comments on Policy

Suggestions to improve this process can be made via submitting a ticket, opening a Discourse topic, or a pull request.

Security Audits

Open OnDemand has been audited several times by Trusted CI, the NSF Cybersecurity Center of Excellence. The latest engagement report is available here. These audits have helped shape the security landscape of the platform and contribute to its ongoing security enhancements.

Conclusion

Effective vulnerability management is crucial for maintaining the security and integrity of Open OnDemand. Users and contributors play a vital role in this process by reporting potential security vulnerabilities through GitHub, ensuring the platform’s continued safety.

Note

For details on the specific vulnerability management steps, please see the GitHub repository guidelines or the security policies linked above.