Application Security Testing, Vulnerability Research - CNA Processes
This handbook page is intended to document CNA processes that the Vulnerability Research team uses in contributing to GitLab’s role as a CNA.
CVE Requests
CWEs, CVSS Scores, and Descriptions
-
Start with identifying an accurate CWE for the vulnerability
-
Review the CVSS score that the submitter provided
- If the CVSS score is largely out-of-line with what you would expect based on the CWE and the description, confirm with the submitter that the score makes sense
- If clear reasons exist for the unexpected CVSS metrics, add a note in the description to this effect. For example, "… Overall impact is limited due to the user only being able to affect their own account"
- Note The CVSS score should make sense from an outside perspective when only having access to the CVE description and CWE
GPG Key
The email cve@gitlab.com
has
a GPG key that the
Vulnerability Research team uses during CNA procesess.
Extending Public Key
The GitLab cve@gitlab.com
email’s public GPG key is set to expire every six
months. Follow these steps to extend the expiration by another six months:
-
Have both the public and private keys to
cve@gitlab.com
locally. -
List the keys with
gpg --list-keys
$> gpg --list-keys /home/user/.gnupg/pubring.kbx ------------------------------ pub rsa4096 2020-00-00 [SC] [expires: 2020-06-00] AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ uid [ultimate] GitLab CVE <cve@gitlab.com> sub rsa4096 2020-00-00 [E] [expires: 2020-06-00]
-
Edit the key with
gpg --edit-key AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ
-
Set the expiration date on the key to another
6m
with theexpire
interactive command:$> gpg --edit-key AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ ... gpg> expire ... Key is valid for? (0) 6m
Once the expiration on the public key is extended by another six months, export an armored version of the key with:
gpg --export --armor AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ
You may also want to fetch the ID of the key with. The ID is the last 16
characters of the long-form key AAAABBBBCCCCDDDDEEEEFFFF[GGGGHHHHIIIIJJJJ]
:
gpg --list-signatures cve@gitlab.com
Update Locations
The new public GPG key needs to be updated in the following locations:
faef5c93
)