Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues

[James Bottomley <James.Bottomley@HansenPartnership.com>]

On Mon, 2018-09-10 at 11:25 +0200, Thomas Gleixner wrote:
> On Sun, 9 Sep 2018, Theodore Y. Ts'o wrote:
> > On Sun, Sep 09, 2018 at 11:17:20AM -0700, Andy Lutomirski wrote:
> > > 
> > > What I want is the opposite of an NDA. I want a gentlemen’s
> > > agreement plus an explicit statement that the relevant people
> > > *may* talk about the issue among themselves despite any NDAs that
> > > might already exist. And that they may release patches when the
> > > embargo is up. And that the embargo has an end date, and that the
> > > developers may decline an extension.
> > 
> > So what you're talking about is some kind of "Memo of
> > Understanding" that has no talk about "if this leaks it will Intel
> > will suffer millons and billons and zillons of dollars and Intel
> > well sue you until your assets are a smoking crater in the ground"?
> > 
> > If there are no consequences to violating the Gentleman's agreement
> > (other than not being included the next time *when* another CPU
> > vulnerability comes up), then nothing really needs to be signed,
> > since it has no legal impact.
> 
> Looking at SSBD/L1TF only and ignoring the Meltdown/Spectre disaster
> (which was completely FUBARed by Intel), having something like this
> in place could have certainly solved the main gap which we had. We
> were able to communicate freely between the informed parties and
> their allowed to know kernel developers, even accross vendors. But
> there was no simple way to bring in anybody else. It tooks us almost
> 2 months to get GregKH on board, but there was no way to talk to e.g.
> the BPF folks in time.
> 
> I think this needs to have some formal setup. The way disclosure to
> companies work is through coordinators, who then disclose it
> internaly to the relevant people.
> 
> We should provide something similar, i.e. an embargo coordination
> group, which coordinates the issue with the disclosing party. And
> yes, this only can be based on a general Memo of Understanding, as
> there is no way to make that whole NDA mess work when the group needs
> to bring in individual developers.

The good thing about doing this is we can set the rules for onward
disclosure from the embargo co-ordination group.  We could probably get
away with something that said (co-ordinate with required linux kernel
subsystem maintainers on a need to know basis) i.e. under our rules we
could disclose to a maintainer if they needed to know without an NDA.

> Having something formal and halfways familiar in place is definitely
> something we need before we are starting to communicate and negotiate
> that through all channels.
> 
> What I came up with so far is:
> 
>  - work out a Memo of Understanding
>    
>  - appoint an initial group of embargo coordinators, ideally people
> who    have already an established trust relationship in the
> industry.
> 
>  - come up with a clear and well defined set of rules what this
> embargo group is doing and what not.

This is the key for better co-ordination.  One of the rules should be
"take responsibility for determining who needs to know in the Linux
Kernel maintainer community and communicating relevant information to
them on a strict need to know basis".

It can probably be better phrased and we'd need a lawyer to look it
over because this is the point at which the NDA gives way to a
"gentleman's agreement".

James