1# Vulnerability Runbook 2 3This document outlines how Wasmtime maintainers should respond to a security 4vulnerability found in Wasmtime. This is intended to be a Wasmtime-specific 5variant of the [runbook 6RFC](https://github.com/bytecodealliance/rfcs/blob/main/accepted/vulnerability-response-runbook.md) 7originally created. More details are available in the RFC in some specific steps. 8 9Vulnerabilities and advisories are all primarily coordinated online through 10GitHub Advisories on the Wasmtime repository. Anyone can make an advisory on 11Wasmtime, and once created anyone can be added to an advisory. Once an advisory 12is created these steps are followed: 13 141. An **Incident Manager** is selected. By default this is the Wasmtime 15 maintainer that opened the advisory. If a contributor opened the advisory 16 then it's by default the first responder on the advisory. The incident 17 manager can, at any time, explicitly hand off this role to another 18 maintainer. 19 202. **Fill out the advisory details**. This step involves filling out all the 21 fields on the GitHub Advisory page such as: 22 23 * Description - the description field's initial placeholder has the various 24 sections to fill out. At this point at least a brief description of the 25 impact should be filled out. This will get fleshed out more later too. 26 * Affected versions - determine which previously released versions of 27 Wasmtime are affected by this issue. 28 * Severity - use the CVSS calculator to determine the severity of this 29 vulnerability. 30 313. **Collaborate on a fix**. This should be done in a private fork created for 32 the security advisory. This is also when any collaborators who can help with 33 the development of the fix should also be invited. At this time only the 34 `main` branch needs to have a fix. 35 364. **Finalize vulnerability details and patched versions**. After a fix has been 37 developed and the vulnerability is better understood at this point the 38 description of the advisory should be fully filled out and be made ready to 39 go to the public. This is also when the incident manager should determine the 40 number of versions of Wasmtime to patch. All [supported releases 41 documented](./stability-release.md) must be patched, but the incident manager 42 may also elect to patch more releases if desired. 43 445. **Request a CVE**. Use the Big Green Button on the advisory to request a CVE 45 number from GitHub staff. 46 476. **Send advanced disclosure email**. The incident manager will decide on a 48 disclosure date, typically no more than a week away, and send mail to 49 [email protected] about the upcoming security release. An 50 example mail [looks like 51 this](https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/7SjEU_qSE4U/m/Y6baLYkhAgAJ) 52 537. **Add more stakeholders** (optional). Users interested in getting advanced 54 notice about this vulnerability may respond to the mailing list post. The 55 incident manager will add them to the security advisory. 56 578. **Prepare PRs for patch releases**. This will involve creating more pull 58 requests in the private fork attached to the advisory. Each version of 59 Wasmtime being patched should have a PR ready-to-go which cleanly applies. 60 Be sure to write release notes on the PR for each release branch. 61 629. **The full test suite should be run locally for `main`**. Locally try to run 63 as much of the CI matrix as you can. You probably won't be able to run all of 64 it, and that's ok, but try to get the ones that may have common failures. 65 This is required because CI doesn't run on private forks. 66 6710. **Release day: Open version bump PRs on the public repository**. Use the 68 [online trigger] for this workflow to open PRs for all versions that are 69 going to be patched. Patch notes should be included with the private PRs, so 70 no need to worry about that. Plan on merging these PRs after the PRs below 71 are merged. Note that CI should be green as we test that it's green weekly 72 for all supported branches, but if it's not you'll need to fix that. 73 74[online trigger]: https://github.com/bytecodealliance/wasmtime/actions/workflows/release-process.yml 75 7611. **Release day: Manually make PRs to affected branches**. DO NOT merge via 77 the security advisory. This has generally not worked well historically 78 because there's too many CI failures and branch protections. On the day of 79 the release make public PRs from all of the previously-created PRs on the 80 private fork. You'll need to push the changes to your own personal 81 repository for this, but that's ok since it's time to make things public 82 anyway. Merge all PRs (including to `main`) once CI passes. 83 8412. **Release day: Merge version bump PRs**. Once the fixes have all been merged 85 and CI is green merge all the version bump PRs. That will trigger the 86 automatic release process which will automatically publish to crates.io and 87 publish the release. 88 8913. **Release day: Publish the GitHub Advisories**. Delete the private forks and 90 hit that Big Green Button to publish the advisory. 91 9214. **Release day: Send mail about the security release**. Send another around 93 of mail to [email protected] describing the security 94 release. This mail looks [like 95 this](https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/7SjEU_qSE4U/m/zjW9fWlcAAAJ). 96 9714. **Add the advisory to the [RustSec 98 database](https://github.com/rustsec/advisory-db)**. We mirror our 99 advisories into the RustSec database for projects using Cargo-based tooling 100 to check for security issue with their dependencies. An example of this is 101 [RUSTSEC-2024-0440]. File a PR with the 102 [RustSec/advisory-db](https://github.com/rustsec/advisory-db) repository 103 adding a new file in the `crates/wasmtime` directory. You'll use the file 104 name `RUSTSEC-0000-0000.md` and can copy metadata from a previous advisory. 105 The description should just point to the GitHub advisory published prior. 106 107[RUSTSEC-2024-0440]: https://github.com/rustsec/advisory-db/blob/4584ad9a5ea16ce196317cf4d3593e974fb4a8a1/crates/wasmtime/RUSTSEC-2024-0440.md 108 109You'll want to pay close attention to CI on release day. There's likely going to 110be CI failures with the fix for the vulnerability for some build configurations 111or platforms and such. It should be easy to fix though so mostly try to stay on 112top of it. Additionally be sure to carefully watch the publish process to 113crates.io. It's possible to hit rate limits in crate publication which 114necessitates a retry of the job later. You can also try publishing locally too 115from the release branch, but it's best to do it through CI. 116