From c41702dee9bcf77527ce453d8dfb3aa152910726 Mon Sep 17 00:00:00 2001
From: Jarek Potiuk <jarek@potiuk.com>
Date: Tue, 9 May 2023 17:03:57 +0200
Subject: [PATCH] Add description on how we handle security issues in Airflow
 (#30960)

Proposed description of the security policy we have in
Apache Airflow.

Co-authored-by: Pierre Jeambrun <pierrejbrun@gmail.com>
Co-authored-by: Pankaj Koti <pankajkoti699@gmail.com>
Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com>

---------

Co-authored-by: Pierre Jeambrun <pierrejbrun@gmail.com>
Co-authored-by: Pankaj Koti <pankajkoti699@gmail.com>
Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com>
---
 .github/SECURITY.rst                    | 69 ++++++++++++++++++++++++-
 COMMITTERS.rst                          |  6 +++
 dev/README_RELEASE_AIRFLOW.md           | 15 ++++++
 dev/README_RELEASE_HELM_CHART.md        | 15 ++++++
 dev/README_RELEASE_PROVIDER_PACKAGES.md | 15 ++++++
 5 files changed, 119 insertions(+), 1 deletion(-)

diff --git a/.github/SECURITY.rst b/.github/SECURITY.rst
index d4f2863a8ccda..5b28aee9ad179 100644
--- a/.github/SECURITY.rst
+++ b/.github/SECURITY.rst
@@ -39,7 +39,7 @@ The Apache Software Foundation takes security issues very seriously. Apache
 Airflow specifically offers security features and is responsive to issues
 around its features. If you have any concern around Airflow Security or believe
 you have uncovered a vulnerability, we suggest that you get in touch via the
-e-mail address security@apache.org. In the message, try to provide a
+e-mail address security@airflow.apache.org. In the message, try to provide a
 description of the issue and ideally a way of reproducing it. The security team
 will get back to you after assessing the description.
 
@@ -52,3 +52,70 @@ before disclosing it publicly.
 The `ASF Security team's page <https://www.apache.org/security/>`_ describes
 how vulnerability reports are handled, and includes PGP keys if you wish to use
 that.
+
+
+Handling security issues in Airflow
+-----------------------------------
+
+The security issues in Airflow are handled by the Airflow Security Team. The team consists
+of selected PMC members that are interested in looking at, discussing about and fixing the
+security issues, but it can also include committers and non-committer contributors that are
+not PMC members yet and have been approved by the PMC members in a vote. You can request to
+be added to the team by sending a message to private@airflow.apache.org, however, the team
+should be small and focused on solving security issues, so the requests will be evaluated
+on-case-by-case and the team size will be kept relatively small, limited to only actively
+security-focused contributors.
+
+There are certain expectations from the members of the security team:
+
+* They are supposed to be active in assessing, discussing, fixing and releasing the
+  security issues in Airflow. While it is perfectly understood that as volunteers, we might have
+  periods of lower activity, prolonged lack of activity and participation will result in removal
+  from the team, pending PMC decision (the decision on removal can be taken by LAZY CONSENSUS among
+  all the PMC members on private@airflow.apache.org mailing list).
+
+* They are not supposed to reveal the information about pending and unfixed security issues to anyone
+  (including their employers) unless specifically authorised by the security team members, specifically
+  if diagnosing and solving the issue might involve the need of external experts - for example security
+  experts that are available through Airflow stakeholders. The intent about involving 3rd parties has
+  to be discussed and agreed up at security@airflow.apache.org.
+
+* They have to have an `ICLA <https://www.apache.org/licenses/contributor-agreements.html>`_ signed with
+  Apache Software Foundation.
+
+* The security team members might inform 3rd parties about fixes, for example in order to assess if the fix
+  is solving the problem or in order to assess its applicability to be applied by 3rd parties, as soon
+  as a PR solving the issue is opened in the public airflow repository.
+
+* In case of critical security issues, the members of the security team might iterate on a fix in a
+  private repository and only open the PR in the public repository once the fix is ready to be released,
+  with the intent of minimizing the time between the fix being available and the fix being released. In this
+  case the PR might be sent to review and comment to the PMC members on private list, in order to request
+  an expedited voting on the release. The voting for such release might be done on the
+  ``private@airflow.apache.org`` mailing list and should be made public at the ``dev@apache.airflow.org``
+  mailing list as soon as the release is ready to be announced.
+
+* The security team members working on the fix might be mentioned as remediation developers in the CVE
+  including their job affiliation if they want to.
+
+* Community members acting as release managers are by default members of the security team and unless they
+  want to, they do not have to be involved in discussing and solving the issues. They are responsible for
+  releasing the CVE information (announcement and publishing to security indexes) as part of the
+  release process. This is facilitated by the security tool provided by the Apache Software Foundation.
+
+Releasing Airflow with security patches
+---------------------------------------
+
+Apache Airflow uses strict `SemVer <https://semver.org>`_ versioning policy, which means that we strive for
+any release of a given ``MAJOR`` Version (version "2" currently) to be backwards compatible. When we
+release ``MINOR`` version, the development continues in the ``main`` branch where we prepare the next
+``MINOR`` version, but we release ``PATCHLEVEL`` releases with selected bugfixes (including security
+bugfixes) cherry-picked to the latest released ``MINOR`` line of Apache Airflow. At the moment, when we
+release a new ``MINOR`` version, we stop releasing ``PATCHLEVEL`` releases for the previous ``MINOR`` version.
+
+For example, when we released  ``2.6.0`` version on April 30, 2023, until we release ``2.7.0`` version,
+all the security patches will be cherry-picked and released in ``2.6.*`` versions only. There will be no
+``2.5.*`` versions  released after ``2.6.0`` has been released.
+
+This means that in order to apply security fixes with Apache Airflow software released by us, you
+MUST upgrade to the latest ``MINOR`` version of Airflow.
diff --git a/COMMITTERS.rst b/COMMITTERS.rst
index d476ace8bf0dd..bfc889438199c 100644
--- a/COMMITTERS.rst
+++ b/COMMITTERS.rst
@@ -72,6 +72,10 @@ Code contribution
 5.  Has made a significant improvement or added an integration with services/technologies important to the Airflow
     Ecosystem
 
+6.  Actively participated in the security process, as a member of security team, discussing, assessing and
+    fixing security issues.
+
+
 Community contributions
 ^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -144,6 +148,8 @@ Code contribution
   * Code reviews
   * Merging pull requests
   * Fixing bugs and implementing improvements
+  * Actively participating in the security process and significantly contributing to overall security of
+    Airflow
 
 
 Only a current PMC member can nominate a current committer to be part of PMC.
diff --git a/dev/README_RELEASE_AIRFLOW.md b/dev/README_RELEASE_AIRFLOW.md
index e248468f3b5ac..107b07f603cdc 100644
--- a/dev/README_RELEASE_AIRFLOW.md
+++ b/dev/README_RELEASE_AIRFLOW.md
@@ -42,6 +42,7 @@
   - [Verify production images](#verify-production-images)
   - [Publish documentation](#publish-documentation)
   - [Notify developers of release](#notify-developers-of-release)
+  - [Send announcements about security issues fixed in the release](#send-announcements-about-security-issues-fixed-in-the-release)
   - [Add release data to Apache Committee Report Helper](#add-release-data-to-apache-committee-report-helper)
   - [Update Announcements page](#update-announcements-page)
   - [Create release on GitHub](#create-release-on-github)
@@ -763,6 +764,20 @@ Send the same email to announce@apache.org, except change the opening line to `D
 It is more reliable to send it via the web ui at https://lists.apache.org/list.html?announce@apache.org
 (press "c" to compose a new thread)
 
+## Send announcements about security issues fixed in the release
+
+The release manager should review and mark as READY all the security issues fixed in the release.
+Such issues are marked as affecting `< <JUST_RELEASED_VERSION>` in the CVE management tool
+at https://cveprocess.apache.org/. Then the release manager should announced the issues via the tool.
+
+Once announced, each of the issue should be linked with a 'reference' with tag 'vendor advisory' with the
+URL to the announcement published automatically by the CVE management tool.
+Note that the announce@apache.org is moderated, and the link to the email thread will not be published
+immediately, that's why it is recommended to add the link to users@airflow.apache.org which takes usually
+few seconds to be published after the CVE tool sends them.
+
+The ASF Security will be notified and will submit to the CVE project and will set the state to 'PUBLIC'.
+
 ## Add release data to Apache Committee Report Helper
 
 Add the release data (version and date) at: https://reporter.apache.org/addrelease.html?airflow
diff --git a/dev/README_RELEASE_HELM_CHART.md b/dev/README_RELEASE_HELM_CHART.md
index ada0ffa0d2297..29a746c5e5ded 100644
--- a/dev/README_RELEASE_HELM_CHART.md
+++ b/dev/README_RELEASE_HELM_CHART.md
@@ -38,6 +38,7 @@
   - [Publish release tag](#publish-release-tag)
   - [Publish documentation](#publish-documentation)
   - [Notify developers of release](#notify-developers-of-release)
+  - [Send announcements about security issues fixed in the release](#send-announcements-about-security-issues-fixed-in-the-release)
   - [Add release data to Apache Committee Report Helper](#add-release-data-to-apache-committee-report-helper)
   - [Update Announcements page](#update-announcements-page)
   - [Create release on GitHub](#create-release-on-github)
@@ -689,6 +690,20 @@ Send the same email to announce@apache.org, except change the opening line to `D
 It is more reliable to send it via the web ui at https://lists.apache.org/list.html?announce@apache.org
 (press "c" to compose a new thread)
 
+## Send announcements about security issues fixed in the release
+
+The release manager should review and mark as READY all the security issues fixed in the release.
+Such issues are marked as affecting `< <JUST_RELEASED_VERSION>` in the CVE management tool
+at https://cveprocess.apache.org/. Then the release manager should announced the issues via the tool.
+
+Once announced, each of the issue should be linked with a 'reference' with tag 'vendor advisory' with the
+URL to the announcement published automatically by the CVE management tool.
+Note that the announce@apache.org is moderated, and the link to the email thread will not be published
+immediately, that's why it is recommended to add the link to users@airflow.apache.org which takes usually
+few seconds to be published after the CVE tool sends them.
+
+The ASF Security will be notified and will submit to the CVE project and will set the state to 'PUBLIC'.
+
 ## Add release data to Apache Committee Report Helper
 
 Add the release data (version and date) at: https://reporter.apache.org/addrelease.html?airflow
diff --git a/dev/README_RELEASE_PROVIDER_PACKAGES.md b/dev/README_RELEASE_PROVIDER_PACKAGES.md
index 98ebc39a8224d..45f44e40f7dd3 100644
--- a/dev/README_RELEASE_PROVIDER_PACKAGES.md
+++ b/dev/README_RELEASE_PROVIDER_PACKAGES.md
@@ -45,6 +45,7 @@
   - [Publish documentation prepared before](#publish-documentation-prepared-before)
   - [Add tags in git](#add-tags-in-git-1)
   - [Notify developers of release](#notify-developers-of-release)
+  - [Send announcements about security issues fixed in the release](#send-announcements-about-security-issues-fixed-in-the-release)
   - [Announce about the release in social media](#announce-about-the-release-in-social-media)
   - [Add release data to Apache Committee Report Helper](#add-release-data-to-apache-committee-report-helper)
   - [Close the testing status issue](#close-the-testing-status-issue)
@@ -990,6 +991,20 @@ It is more reliable to send it via the web ui at https://lists.apache.org/list.h
 Note If you choose sending it with your email client make sure the email is set to plain text mode.
 Trying to send HTML content will result in failure.
 
+## Send announcements about security issues fixed in the release
+
+The release manager should review and mark as READY all the security issues fixed in the release.
+Such issues are marked as affecting `< <JUST_RELEASED_VERSION>` in the CVE management tool
+at https://cveprocess.apache.org/. Then the release manager should announced the issues via the tool.
+
+Once announced, each of the issue should be linked with a 'reference' with tag 'vendor advisory' with the
+URL to the announcement published automatically by the CVE management tool.
+Note that the announce@apache.org is moderated, and the link to the email thread will not be published
+immediately, that's why it is recommended to add the link to users@airflow.apache.org which takes usually
+few seconds to be published after the CVE tool sends them.
+
+The ASF Security will be notified and will submit to the CVE project and will set the state to 'PUBLIC'.
+
 ## Announce about the release in social media
 
 ------------------------------------------------------------------------------------------------------------