At Chef, we take the security of our products and services seriously. In order for us to treat potential security issues with the priority they merit, we need as much accurate information made available at the time of submission.
In a similar manner, if your organization carries out routine/periodic security audits (penetration testing, vulnerability scanning, red teaming etc) and you require explanations around features which may raise flags through these processes, we'll need a minimum of detail made available so we can triage these issues to the appropriate owners to respond to.
Submitting a Disclosure/Report
If you are raising these issues as trackable tickets through Chef Support (Zendesk), then we would ask that they are correctly identified by choosing the "Security Disclosure" form type from the issue drop down menu:
This provides use with the minimum criteria we need to triage security issues quickly.
Product Specific Disclosure
If you are reviewing a product for installation/upgrade in your environment and have compliance security issues, we would ask that these be submitted on a per-issue basis under the "Product Specific Disclosure" category.
Vulnerability Report
If you are submitting a vulnerability report from a tool/process in which Chef product(s) has been highlighted as a potential issue, please use the "Vulnerability Scan Report" category and fill out the details of the product of primary concern. Ideally this would also be resubmitted once for each product, but if needed, we can dissect the report on your behalf. Remember that you may prefer to track multiple issues and it would be of mutual benefit to disclose your concerns on a per product basis in the event you need to report concisely and directly internally.
Chef Property Application/Service
If you're using a hosted service such as Habitat Builder or Hosted Chef and wish to raise a concern or disclose a vulnerability please select the "Chef Property Application/Service" and provide the associated details.
When submitting a vulnerability associated with one of our services, we'd ask that the following guide is adhered to:
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Please ensure to choose the FQDN of the affected system from the "web component" drop-down and ensure the description includes documentation of the vulnerability (see below)
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data
- Do not reveal the problem to others until it has been resolved
Submission Data
Subject - An accurate description of the disclosure. If this is a vulnerability, then it should be an explicit description and use well known industry nomenclature/language to describe the concern. If its a report, then the the title can include a reference to the report or a the concern that the report raises.
Description - A vulnerability description must be short, clear, and direct. Service/Product owners and Security teams can best assess concerns when they also references/links to trusted sources that can help others understand, identify, and fix the bug. This could be an OWASP link, CVE references or links to other public advisories and standards. Do not reference e.g. Wikipedia or other sites which are not well-recognized in security. If you have the automated output of a given scan or tool, it's best to attach this for verbosity (if it can be shared) and translate this to something human readable in the description, citing a reference to the attachment.
If you wish to include reproduction steps in the Description body, these would ideally be in the form of a step-though list. For example:
- Step 1: Go to the following [URL]
- Step 2: Enter your username and password (you need an account to do this)
- Step 3: In the Search box at top right, insert the following information:
<script>alert(document.domain);</script>
- Step 4: Click the “Search” button
- Step 5: You’ll see a JavaScript popup box showing your domain
If you used only a browser, identify the required browser version. Anything else that provides further insight (links to source code, additional tools used to reproduce the issue etc) may also be included.
Vulnerability Severity Type - We use a basic low/medium/high scale to assess and prioritize submissions. If Chef deem it necessary to re-prioritize the issue based on investigation and/or reproduction, we reserve the right to do so.
Attachments - If necessary, provide UI screenshots as part of the step-through guide you have previously described and other supplementary data to corroborate the any security concern. If a reproduction through video is necessary, we will review it. Vulnerability reports should be labelled with a reference we can use when replying to submissions via both private email and the ticket submission.