Bug Process Reference Sheet

While I was a scout, I created a quick, two-sided, document with the security bug process using info from the GLSA Coordinator Guide and Gentoo Linux Vulnerability Treatment Policy. Most of the time, this really saved me the headache of having to open another tab and dig for the info – especially since I printed the doc and put it next to my monitor.

I posted a PDF version here: http://dev.gentoo.org/~ackle/docs/NewBugProcess.pdf

Hopefully this may help out any new scouts. Beware, though: if the GLSA Coordinator Guide or Vulnerability Policy change, this doc will not be updated.

Using Gmail for Security Bug Scouting

Scouting for the Gentoo Security Project is only the first step as a padawan but it is the most basic task that follows through the entire recruitment process.

I’ve used Gmail for personal email for years, but never truly understood the benefits of it until I started as a scout and the emails starting pouring in. A few reasons why I have come to love Gmail for scouting bugs and wrangling vulnerabilities:

Labels

Like many new scouts for the Gentoo Security team, I referenced the Padawan process page and also Tim Sammut’s Scouting Tips when just starting out and setting up my own method of handling mail.  Tim’s tips and process for handling incoming mail is excellent, but there was one thing that I couldn’t live with: the idea of all my mail from several lists and sources, mingling together in one folder. With Gmail, each message is filtered as it is received and a label can be applied to it. Sound a lot like folders? Not quite – multiple labels can be applied to the same email. The Inbox is a label applied to each message by default. This means that all new mail comes in to one “folder” (the Inbox) but when it is archived, the message is found under its appropriate label, as if it was moved to a folder.

Duplicate Email Filtering

A lot of emails are sent to multiple lists. Even our GLSA’s go to 3 lists that scouts should be subscribed to (Gentoo Announce, Bugtraq, and Full Disclosure) but that does not mean anyone wants to handle 3 copies of a GLSA. Luckily, Gmail filters out duplicates. If there are three filters, each applying a different label for Gentoo Announce, Bugtraq, and Full Disclosure emails, then Gmail will keep one copy of the email and apply three labels to that email. The only part I don’t like about duplicate email filtering: emails sent from myself to a list in which I belong are discarded. For example, when I send an email to oss-security, I do not receive a copy of the email from the list (I like the confirmation of knowing that my email went through).

Priority Inbox

Gmail already groups messages by conversations. However, there can still be a lot of conversations. Priority Inbox can be used to let Gmail determine what is more important to you. Over time, Priority Inbox learned that messages from bugzillas, gentoo-[dev-]announce@g.o, and CVE requests from oss-security are more important to me than most conversations from Full Disclosure or Bugtraq (which typically contain less actionable items). Of course, Priority Inbox doesn’t do much good if you use a mail client like Thunderbird.

No, I don’t work for Google and they surely didn’t pay me to write this, but Gmail has really helped with organizing, filtering, and prioritizing all the messages that a scout needs.