0
代码
代码
Issues
Pull Requests
讨论
Wiki
分析
0
ascend-robotascend-robotdocs: 英文资料合入
5009c5cb创建于 6 天前历史提交

MindStudio Vulnerability Handling Mechanism Description

The MindStudio community highly values the security of community versions. Vulnerability management specialists are specifically designated to handle vulnerability-related matters. To build a more secure AI full-process toolchain, we look forward to your participation.

Vulnerability Handling Process

For each security vulnerability, the MindStudio community assigns personnel to follow up and handle it. The end-to-end vulnerability handling process is shown in the following figure.

Vulnerability Handling Process

The following sections explain the vulnerability reporting, assessment, and disclosure processes.

Vulnerability Reporting

You can contact the MindStudio community team by submitting an issue. We will arrange for a security vulnerability specialist to contact you promptly.

To ensure security, do not describe specific information related to security and privacy in your issue.

Response to Reports

  1. The MindStudio community will confirm, analyze, and report security vulnerability issues within three working days, while initiating the security handling process.
  2. The MindStudio security team will assign confirmed security vulnerability issues to dedicated personnel and follow up on them.
  3. During the process of classifying, confirming, and fixing security vulnerabilities, as well as releasing patches, we will provide timely updates on the report.

Vulnerability Assessment

The Common Vulnerability Scoring System (CVSS) is widely used in the industry to assess the severity of vulnerabilities. When MindStudio uses CVSS v3.1 for vulnerability assessment, it is necessary to define an attack scenario and assess vulnerabilities based on the actual impact within that scenario. Vulnerability severity assessment involves assessing the difficulty of exploitation as well as the impact on confidentiality, integrity, and availability after exploitation, resulting in a numerical score.

Vulnerability Assessment Metrics

MindStudio assesses vulnerability severity levels using the following vector metrics:

  • Attack Vector (AV): indicates the "remoteness" of an attack and how a vulnerability can be exploited.
  • Attack Complexity (AC): describes the difficulty of executing an attack and the factors required for a successful attack.
  • User Interaction (UI): determines whether the attack requires user participation.
  • Privileges Required (PR): records the level of user authentication required for a successful attack.
  • Scope (S): determines whether an attack can affect components with different permission levels.
  • Confidentiality (C): measures the impact resulting from information disclosure to unauthorized parties.
  • Integrity (I): measures the impact resulting from information tampering.
  • Availability (A): measures the impact on users' access to data or services when needed.

Assessment Principles

  • Assess the severity level of a vulnerability, not the risk.
  • The assessment must be based on an attack scenario where a successful attack can compromise the confidentiality, integrity, and availability of the system.
  • When a security vulnerability has multiple attack scenarios, use the scenario with the greatest impact (the highest CVSS score) as the basis.
  • If a vulnerability exists in an embedded or invoked library, perform the assessment after determining the attack scenario based on how the library is used in the product.
  • If a security defect cannot be triggered or does not affect confidentiality, integrity, or availability (CIA), the CVSS score is 0.

Assessment Procedure

To assess the severity level of a vulnerability, perform the following steps:

  1. Set a possible attack scenario and score based on this attack scenario.

  2. Identify the vulnerable component and affected components.

  3. Select values for base metrics.

    • Select values for the exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope) based on the vulnerable component.

    • Ensure impact metrics (Confidentiality, Integrity, and Availability) reflect the impact on either the vulnerable component or the affected components, whichever is more severe.

Severity Rating

Severity Rating CVSS Score Vulnerability Fix Time
Critical 9.0 to 10.0 7 days
High 7.0 to 8.9 14 days
Medium 4.0 to 6.9 30 days
Low 0.1 to 3.9 30 days

Vulnerability Disclosure

After a security vulnerability is fixed, the MindStudio community will release a security advisory (SA) and security notice (SN). The SA includes technical details of the vulnerability, type, reporter, CVE ID, affected versions, and fixed versions. To ensure security for MindStudio users, the MindStudio community will not publicly disclose, discuss, or confirm security issues until after investigation and fixing are complete and an SA has been released.

Appendixes

MindStudio SA

Currently maintained versions have no security vulnerabilities.

MindStudio SN

Vulnerability descriptions for third-party open-source components:

CVE ID Third-Party Component Name Affected MindStudio Tool/Plugin Status Description
N/A - - - -