0
代码
代码
Issues
Pull Requests
讨论
Wiki
分析
0
Ccai-weiwei1989docs: 英文资料合入
64203064创建于 7 天前历史提交

MindStudio Vulnerability Handling Mechanism Description

The MindStudio community highly values the security of community versions. Vulnerability management specialists are specifically designated to handle vulnerability-related matters. To build a more secure AI full-process toolchain, we look forward to your participation.

Vulnerability Handling Process

For each security vulnerability, the MindStudio community assigns personnel to follow up and handle it. The end-to-end vulnerability handling process is shown in the following figure.

Vulnerability Handling Process

The following sections explain the vulnerability reporting, assessment, and disclosure processes.

Vulnerability Reporting

Contact the MindStudio community team by submitting an issue. A security vulnerability specialist will be assigned to contact you as soon as possible. Note that to ensure security, do not include specific information about security privacy in the issue.

Response to Reports

  1. The MindStudio community will confirm, analyze, and report security vulnerability issues within three working days, while initiating the security handling process.
  2. The MindStudio security team will assign confirmed security vulnerability issues to dedicated personnel and follow up on them.
  3. During the process of classifying, confirming, and fixing security vulnerabilities, as well as releasing patches, we will provide timely updates on the report.

Vulnerability Assessment

The industry widely uses the CVSS standard to assess vulnerability severity. When using CVSS v3.1 for vulnerability assessment, MindStudio sets specific attack scenarios and performs assessments based on the actual impact within those scenarios. Vulnerability severity assessment involves assessing the difficulty of exploitation as well as the impact on confidentiality, integrity, and availability after exploitation, resulting in a numerical score.

Vulnerability Assessment Metrics

MindStudio assesses vulnerability severity levels using the following vector metrics:

  • Attack Vector (AV): indicates the "remoteness" of an attack and how a vulnerability can be exploited.
  • Attack Complexity (AC): describes the difficulty of executing an attack and the factors required for a successful attack.
  • User Interaction (UI): determines whether the attack requires user participation.
  • Privileges Required (PR): records the level of user authentication required for a successful attack.
  • Scope (S): determines whether an attack can affect components with different permission levels.
  • Confidentiality (C): measures the impact resulting from information disclosure to unauthorized parties.
  • Integrity (I): measures the impact resulting from information tampering.
  • Availability (A): measures the impact on users' access to data or services when needed.

Assessment Principles

  • Assess the severity level of a vulnerability, not the risk.
  • The assessment must be based on an attack scenario where a successful attack can compromise the confidentiality, integrity, and availability of the system.
  • When a security vulnerability has multiple attack scenarios, use the scenario with the greatest impact (the highest CVSS score) as the basis.
  • If a vulnerability exists in an embedded or invoked library, perform the assessment after determining the attack scenario based on how the library is used in the product.
  • If a security defect cannot be triggered or does not affect confidentiality, integrity, or availability (CIA), the CVSS score is 0.0.

Assessment Procedure

To assess the severity level of a vulnerability, perform the following steps:

  1. Set a possible attack scenario and score based on this attack scenario.

  2. Identify the vulnerable component and affected components.

  3. Select values for base metrics.

    • Select values for the exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope) based on the vulnerable component.

    • Ensure impact metrics (Confidentiality, Integrity, and Availability) reflect the impact on either the vulnerable component or the affected components, whichever is more severe.

Severity Rating

Severity Rating CVSS Score Vulnerability Fix Time
Critical 9.0~10.0 7 days
High 7.0~8.9 14 days
Medium 4.0~6.9 30 days
Low 0.1~3.9 30 days

Vulnerability Disclosure

After a security vulnerability is fixed, the MindStudio community will release a Security Advisory (SA) and a Security Notice (SN). The SA includes technical details of the vulnerability, type, reporter, CVE ID, affected versions, and fixed versions. To ensure security for MindStudio users, the MindStudio community will not publicly disclose, discuss, or confirm security issues until after investigation and fixing are complete and an SA has been released.

Appendix

MindStudio SA

Currently maintained versions have no security vulnerabilities.

MindStudio SN

Vulnerability descriptions for third-party open-source components:

CVE ID Third-Party Component Name Affected MindStudio Tool/Plugin Status Description