Mattermost Handbook
Need help?How to spend company moneyHow to update the HandbookRelease overview
0.2.1
0.2.1
  • Mattermost Handbook
  • Company
    • About Mattermost
      • List of terms
      • Business model
      • Mindsets
    • "How to" guides for staff
      • How to set up a 1-1 channel
      • How to update the handbook
      • How to manage Handbook notifications
      • How to change mobile device
        • How to handle a lost mobile device
      • How to do a mini-retrospective
      • How to autolink keywords in Mattermost
  • Operations
    • Company operations
      • Areas of Responsibility
      • Mattermost Leadership Team (MLT)
        • MLT cadence
      • Company measures
        • Metrics definitions
        • FY23 goals board
        • MLT metrics
      • Company cadence
      • Company policies
        • Community response policy
        • Security policy
      • Company processes
        • Issue/solution process
        • Company agreements
        • Publishing
          • Public web properties
          • Publishing guidelines
            • Brand and visual design guidelines
            • Voice, tone, and writing style guidelines
              • Contribute to documentation
            • Confidentiality guidelines
          • Post-publication quality control process
      • Handbook processes and policies
        • Handbook onboarding
      • Fiscal year planning
    • Research and Development
      • Organization
        • Tech Writing
        • Data engineering
        • Delivery
        • Cloud Platform
        • Site Reliability Engineering
        • GRC
        • Product Security
        • Security Operations
      • Processes
        • Feature Labels
      • Product
        • Product planning
          • Product philosophy and principles
          • Prioritization process
          • Release planning process
          • Roadmap views
          • Release plan
          • Launch plan
          • Feature requests
        • Development process
          • Mobile feature guidelines
          • Deprecation policy
          • Mattermost software requirements process
          • Jira ticket lifecycle
          • Creating new Jira bug tickets
            • Priority levels for tickets
            • Jira fix versions
        • Release process
          • Release overview
          • Feature release process
          • Dot release process
          • Security release process
          • Mobile app release process
          • Desktop app release process
          • Release tips
          • Release scorecard definitions
        • How-to guides for Product
          • How to use productboard
          • How to record a roadmap video
          • How to update integrations directory
          • How to write a feature release announcement
        • Product Management team handbook
          • Product Management Areas of Ownership
          • Product Manager onboarding
          • Product Manager levels
          • Professional development
        • Product Design team handbook
          • Product Design levels
        • Technical Writing team handbook
          • Work with us
          • User interface text guidelines
          • Documentation style guide
          • Our terminology
          • Guidelines for PMs and developers
          • Guidelines for community contributions
          • Technical Writer levels
          • Docathon 2021
            • Getting started with contributing
        • Growth
          • A/B testing methodology
          • PQL definition
        • Analytics
          • Product Analyst Engineer levels
          • Looker
            • Dashboards
            • Explores
          • Telemetry
        • Developer relations
        • Product team hangouts
      • Engineering
        • Infrastructure engineering
          • Cloud infrastructure cost KPIs
          • Cloud data export process
          • Cloud churn process
          • Reliability Manifesto
          • Production Readiness Review
          • Infrastructure Library
        • Integrations team processes
        • Plugin release process
        • Data Engineering
        • Sustained Engineering
          • On call
        • How to go to a conference
        • Public speaking
        • Core contributor expanded access policy
      • Quality Assurance
        • QA workflow
        • QA testing tips and tools
        • Rainforest process
    • Messaging and Math
      • How-to guides for M&M
        • How to create release announcements
        • How to create screenshots and GIFs
        • How to write Mattermost case studies
        • How to write guest blog posts for Mattermost apps and services
        • How to write Mattermost recipes
        • How to compose tweets
        • How to create a split test for web page
        • How to run meetups
        • How to run executive dinners
      • Checklists for M&M
        • Blog post checklist
        • Bio checklist
      • Mattermost websites
      • Demand generation reporting
      • M&M Asana guidelines
      • Content marketing
        • How to use the editorial calendar
        • Content development and distribution
        • Video content guidelines
        • How to contribute content
    • Sales
      • Deal Desk
      • Partner programs
      • Lead management
    • Deployment Engineering
      • Overview
      • Workflows
      • Frequently Asked Questions
      • Playbook for MME Sev 1 Outages
      • Status Update Template
    • Program Management
    • Customer Success
      • Customer Support
    • Legal
      • Contracts
      • Ironclad Basics
        • Company-Wide Workflows
        • Sales Contracts and Workflows
        • Signing a Contract and Contract Repository
    • Finance
      • Budget
      • How to use Airbase
        • Access Airbase
        • Navigate Airbase
        • How to submit a purchase request
        • How to submit a reimbursement request
        • How to review a reimbursement request
        • Vendor portal guide
        • Frequently asked questions
      • Onboarding
        • Vendor onboarding
        • ROW staff onboarding
      • Staff member expenses
        • How to spend company money
        • How to spend company money: Internships
        • Corporate credit card policy
        • How to access Airbase
        • Gifting policy
        • How to book airfare and travel
        • How to reimburse the company
        • How to convert currencies
        • How to get paid
      • Arrange a Bounty Program
      • Naming files and agreements
      • Risk management
        • Mattermost U.S. consulting agreements
      • Operations playbook
    • Security
      • Policies
      • Privacy
        • Data deletion requests
        • Data subject access requests
      • Product Security
        • Product Vulnerability Process
        • Working on security-sensitive pull requests
        • Secure Software Development guide
      • Security Operations
        • User guides
    • Workplace
      • PeopleOps
        • HR cadences
        • HR systems
        • HR Processes
        • Working at Mattermost
          • Onboarding
            • Things everyone must know
            • Staff onboarding
            • Engineer onboarding timeline and expectations
            • Manager onboarding
            • Frequently asked questions
          • Learning and development
          • Mattermost communication best practices
          • Paid time off
            • Out of office email example
          • Travel
            • Business travel insurance
          • Leaves of absence
            • Pregnancy leave
            • Baby bonding parental leave
            • Jury duty
          • Workplace program
          • Relocation
          • Total rewards
        • Performance reviews
          • Formal review process
          • New staff performance review
          • Informal review process
        • Transfers and promotions
        • Offboarding instructions for managers
        • People compliance
      • People policies
      • Groups
        • Staff Resource Groups
      • Approvals and iteration
      • IT
        • IT helpdesk
        • Hardware and software purchases
        • Hardware buy back policy
        • Software systems
  • Contributors
    • Contributors
      • Equity, diversity, and inclusion
      • How to contribute to Mattermost
        • Community Content program
        • Documentation contributions
        • Help Wanted tickets
        • Localization
        • Contribution events
      • Mattermost community
      • Contributor kindness
      • Community systems
      • Guidelines and playbooks
        • Social engagement guidelines
        • Contribution guidelines and code of conduct
        • Mattermost Community playbook
        • How to run a Hackathon
        • Hacktoberfest event organizer guide for Mattermost
    • MatterCon
      • Staff information privacy management
      • Mattermost events code of conduct
      • MatterCon2021
    • Join us
      • Ice-breakers
      • Help Wanted tickets
      • Localization
      • Mattermost GitHub sponsorship
      • Things candidates should know
      • Staff recruiting
      • Recruiting cadences
        • Product Manager hiring process
      • Exec recruiting
        • EA logistics
  • Help and support
    • Contact us
Powered by GitBook
On this page
  • Overview
  • Goals
  • Scope
  • Background reading
  • Guidelines by engineering area
  • Common guidelines
  • Guidelines for developers
  • Guidelines for QA
  • Guidelines for security engineering

Was this helpful?

Edit on Git
Export as PDF
  1. Operations
  2. Security
  3. Product Security

Working on security-sensitive pull requests

Overview

This document aims to lay down some guidelines on how to work with security-sensitive changes in public Git repositories.

Goals

Establish and document a way of working that:

  1. Minimizes the risk of vulnerability information leaking out before a fix is made available.

  2. Minimizes the friction caused for developers, QA, and security engineers actively working on a security issue.

  3. Is easy to understand and adopt, given the existing PR process.

  4. Is easy to remember and follow.

Scope

The guidelines documented here only apply to open source products maintained by Mattermost. Closed-source work does not have the same considerations and does not need to follow the guidelines laid out here.

Background reading

Similar documentation by Mozilla used as the inspiration for this document: https://firefox-source-docs.mozilla.org/bug-mgmt/processes/fixing-security-bugs.html

Guidelines by engineering area

Common guidelines

When working on security-sensitive changes, pay attention to what is public and what is not. Be mindful about entering information into systems such as Mattermost Channels and Boards, GitHub Issues and Pull Requests, and Jira.

When discussing related work in public channels, such as a CI pipeline failure blocking the security release or feature work that had to be postponed because of the incident, pay attention to the ways you reference the private information. Avoid sharing ticket IDs or mentioning key words like "security": every time you reference the issue in an identifiable way, you add contextual information, and that information can eventually add up to something that's useful to an attacker. Specific words and phrases to be extra careful with:

  • Obvious key words: "security", "vulnerability", "exploit", "insecure", "attack".

  • Anything that identifies a vulnerability type: "XSS", "authentication bypass", "authorization bug", "SQL injection", "remote code execution", etc.

  • Security-specific tools and terminology: "HackerOne", "Bugcrowd", "CVE", "CVSS", "advisory", "pentest".

Guidelines for developers

When commenting on your code, keep references to security issues to a minimum. For example: If it's necessary to highlight that a non-obvious validation check is necessary for security, avoid the following:

// Do not remove! This check prevents a security issue!
if url.Opaque != "" {
    return "", errors.New("malformed URL");
}

Instead refer to the ticket ID or some other opaque identifier only:

// See MM-1234
if url.Opaque != "" {
    return "", errors.New("malformed URL");
}

With the latter, any other staff member or your future self can still easily find the context, but you avoid pointing out to would-be attackers that the change is critical for security.

When developing unit/e2e tests, do not use the Proof-of-Concept (PoC) exploits received from the security team or documented on the vulnerability ticket as-is: the purpose of these PoCs is to clearly demonstrate the security issue and its implications, which often means they are very easy to "weaponize". Instead, test the intended functionality using more benign payloads. For example in the case of a Cross-Site Scripting (XSS) issue resulting from missing HTML special character escaping, test the fix using sets of individual characters or garbage input instead of a full XSS payload. If you are unsure about your approach to testing, ask the Security team!

When submitting PRs, pay attention to the PR title and description. Remember the Common Guidelines and do not use the title of the Jira ticket as-is. The title of the PR is one of the most visible and obvious indicators of a security issue being worked on! It appears on the PR itself, the pull requests index page—both of which attackers are likely to monitor—and eventually ends up in Git history when the PR is squashed and merged. The guidelines also apply to individual commit messages and the name of the branch!

  • If you notice you've made a mistake in the code, unit tests, comments, or commit messages and already pushed it to GitHub, fix it as soon as possible by rewriting the Git history and force-pushing the new, sanitized changes.

  • If you notice you've made a mistake in the PR title or description, edit it out and alert the Security team: Edits will still be visible in the GitHub UI and if the information revealed is sensitive enough, Security may choose to fully delete the PR in question.

Guidelines for QA

When QA testing a security fix, keep in mind that any test steps documented on the Jira ticket are most likely sensitive and should not be publicly disclosed. When a test step fails or the instructions are unclear, feel free to request changes on the Pull Request if applicable, but try to keep the details private: use Jira or Mattermost Channels.

Guidelines for security engineering

As security engineers coordinate an incident with both engineering staff and external contributors, the same Common Guidelines apply. The security engineer currently responsible for coordinating an incident is also in the end responsible for making sure other engineering staff is aware of the guidelines and follows them to the best of their ability.

Security engineers should monitor any public activity around an incident, such as information unintentionally leaking, outside parties commenting on Pull Requests, or the reporter of the issue actively leaking information on social media.

The responsibility of maintaining this document also rests with security engineering: If a specific guideline cannot be reasonably applied in a large number of cases, the guideline should be updated. Similarly, if information appears to be consistently leaking despite following these guidelines, improvements should be planned and documented.

PreviousProduct Vulnerability ProcessNextSecure Software Development guide

Last updated 6 months ago

Was this helpful?

The guidelines below are split by work area; start by reading the section, then proceed to whichever follow-up section is relevant to you.

When developing a fix for a security issue, bear in mind that the code, comments, unit tests, and commit messages become public information as soon as they are pushed to the remote repository. Apply accordingly.

If unsure about how to thoroughly QA test a security fix or how to set up the environment required, feel free to leave QA testing to the security team. For automated testing, also see the section.

Common Guidelines
Common Guidelines
Guidelines for Developers