ADempiere Security Policy

From ADempiere
Jump to: navigation, search
This Wiki is read-only for reference purposes to avoid broken links.

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. -Eugene H. Spafford

Introduction

A while ago, some of our own security hackers discovered seemingly easy holes within Compiere/ADempiere based systems. As a result it raises alarm within the community on how best to treat such discoveries (INFO IS FREE) without endangering the end users (PPL R NOT). There were some serious debate within the forum and even around Berlin. The debate will still continue. Meanwhile we have to manage our huge ship. Thus this document by our security team attempts to outline the ADempiere Community Approach for reporting and responding to security vulnerabilities.

You Found A What?

If you find a bug and are not sure whether it's a security flaw or not; or if you are sure about a security flaw and would like to report it ( thank you :-) ) then you've come to the right place.

What Is A Security Flaw?

An error of commission or omission in a system that may allow protection mechanisms to be bypassed.[1]

Put simply, any bug that may lead to access (read/write/delete) to protected data without the user being authorised through ADempiere security and authorisation procedures is considered a security issue.
According to the definition, configuration problems do not count as security flaws unless they are caused by the default configuration of ADempiere.

How To Report?

It is assumed that you've tested the flaw thoroughly and are sure ( well, 70% sure :-) ) about it being a flaw.
First you need to create a report and then send it to security team.

Please send your security reports only to security[ATSIGN]adempiere[DOTSIGN]org.

Please don't open a tracker (even private) or publish the security issue by other means, to give time to implementors and customers to fix the hole

Report Contents

  • [Required] ADempiere version, eg. 3.2.0; or if you are working with the trunk, the revision number eg. 2435.
  • [Required] Database vendor and version, eg. OracleXE 10.2.0 or PostgreSQL 8.2.4.
  • [Optional] Operating system, eg. Debian 4.0 or Windows XP SP2
  • [Optional] Internet browser, eg. Internet Explorer 6.0 or Firefox 2.0.0.3
  • [Required] Steps to abuse the flaw; please describe step by step what to do in order to abuse the flaw.
  • [Optional] Analysis; if you have some clue regarding the flaw it would be very good and helpful to attach them also.

How to be notified of flaws?

If you want to be included in the security reports mailing list, send your request to security[ATSIGN]adempiere[DOTSIGN]org. Once your request has been approved, you will be added to the mailing list. You will then be able to see reports as soon as they are issued. This can allow you to participate in the fixing process, or take steps to protect your system.


Application to Join Security List

Please include the following details in your request to join the security mailing list

  • [Required] e-mail address
  • [Required] Full Name
  • [Optional] sourceforge or wiki username
  • [Required] Company or Client you represent
  • [Required] Reason for Interest i.e. Developer, Implementation Company, User System Admin
  • [Required] Address
  • [Required] Phone number or skype name
  • [Required] Reference name Name of someone that can verify your need to know security info
  • [Required] Reference Contact Info Email, phone, or skype

Who can Join Security List?

Requests to be added to the mailing list will be verified, and the following parties will qualify:

  1. Recognized contributors in the ADempiere Community- verified by security team
  2. User IT Staff- verified by user company executive
  3. Consultants implementing ADempiere- verified by user company executive
  4. Admins from related projects- verified by project owner


How are Reports handled and published?

  1. All members of security mailing list will receive immediate notification of flaw reports
  2. Report will be investigated to determine validity, level of exposure
  3. Upon verification of the problem, Generic notification will be posted to the ADempiere Public Forum Security Thread. It will contain information about who may be exposed, but without detailed steps to abuse the flaw. [Example]
  4. Work will begin on fixes
  5. A private courtesy email will be sent to other known projects i.e. Compiere, OpenBravo, OpenXpertya, KnowledgeBlue, Mayking
  6. Workarounds will immediately be published to the security list and other projects
  7. Fixes will immediately be committed to SVN, along with a private tracker without detailed abuse information
    1. Details of the fix will be mailed to the security list
    2. A response will be posted to the Public Forum informing of the fix, but without detailed abuse information
    3. After 10 business days, the tracker can be made public and all detailed information added, for project documentation purposes


Acknowledgments

We acknowledge the efforts and the time you spend to improve your own project by reporting security flaws to us. Thank you! -ADempiere Security Team

External Links