# OpenMetadata Incident Response Plan This document outlines the incident response procedures for security issues in the OpenMetadata project. ## Scope This incident response plan covers: - All code within the OpenMetadata organization repositories - Security vulnerabilities in OpenMetadata services - Metadata exposure incidents - Supply chain security issues - Infrastructure compromises ## Incident Lead **Primary Incident Lead**: @harshach - Responsible for coordinating incident response - Decision authority for security releases - External communication coordination **Backup Incident Leads**: @pmbrull, @mohityadav766, @tutte ## Reporting Security Issues ### How to Report All security issues must be reported privately through one of these channels: 1. **GitHub Security Advisories** (Preferred) - Navigate to: https://github.com/open-metadata/OpenMetadata/security/advisories - Click "Report a vulnerability" - Provide detailed information 2. **Email**: security@open-metadata.org - Encrypt sensitive details using our PGP key (available on our website) ### What to Include - Detailed description of the vulnerability - Steps to reproduce - Potential impact assessment - Affected versions - Any proof-of-concept code (if applicable) ### What NOT to Do - **DO NOT** create public GitHub issues for security vulnerabilities - **DO NOT** disclose vulnerabilities on public forums or social media - **DO NOT** submit pull requests with security fixes without prior coordination ## Response Timeline - **Initial Response**: Within 24 hours - **Impact Assessment**: Within 72 hours - **Resolution Target**: Within 30 days for critical issues - **Public Disclosure**: Coordinated after fix is available ## Incident Response Phases ### Phase 1: Detection & Initial Response (0-24 hours) 1. **Acknowledge Receipt** - Send confirmation to reporter - Assign tracking identifier - Engage incident lead (@harshach) 2. **Initial Assessment** - Verify the vulnerability - Determine severity using CVSS scoring - Identify affected versions - Check if actively exploited 3. **Immediate Containment** (if critical) - Disable affected features if possible - Notify cloud service providers if applicable - Revoke compromised credentials ### Phase 2: Investigation & Coordination (24-72 hours) 1. **Form Response Team** - Incident Lead: @harshach - Security Engineer(s) - Affected component maintainer(s) - Communications coordinator 2. **Deep Investigation** - Root cause analysis - Full impact assessment - Check for similar vulnerabilities - Review logs for exploitation attempts 3. **Develop Fix** - Create patches for supported versions - Develop test cases - Security review of proposed fix ### Phase 3: Mitigation & Remediation 1. **Prepare Releases** - Patch all supported versions - Update documentation - Prepare security advisory 2. **Coordinate Disclosure** - Notify major users under embargo (if applicable) - Request CVE assignment - Coordinate disclosure date with reporter 3. **Deploy Fixes** - Release patched versions - Update Docker images - Update Helm charts - Deploy to cloud services ### Phase 4: Communication 1. **Internal Communication** - Update internal teams - Brief support teams - Update runbooks 2. **External Communication** - Publish security advisory - Update security page - Send notifications to mailing list - Social media announcements (if critical) 3. **Credit & Acknowledgment** - Credit reporter (unless anonymity requested) - Update security acknowledgments page ### Phase 5: Post-Incident Review 1. **Incident Review** (Within 1 week) - Timeline review - Response effectiveness - Lessons learned - Process improvements 2. **Security Improvements** - Update security practices - Enhance testing procedures - Update threat model - Security training needs 3. **Documentation Updates** - Update incident response plan - Update security documentation - Share learnings with community ## Severity Levels ### Critical (CVSS 9.0-10.0) - Complete system compromise - Unauthorized access to all metadata - Remote code execution - Authentication bypass - **Response Time**: Immediate, fix within 24-48 hours ### High (CVSS 7.0-8.9) - Significant metadata exposure - Privilege escalation - Connection credential exposure - **Response Time**: Within 7 days ### Medium (CVSS 4.0-6.9) - Limited metadata exposure - Denial of service - Information disclosure - **Response Time**: Within 30 days ### Low (CVSS 0.1-3.9) - Minor information leakage - Difficult to exploit issues - **Response Time**: Next regular release ## Special Considerations for OpenMetadata ### Metadata-Specific Incidents Since OpenMetadata handles only metadata, not actual data: 1. **Metadata Exposure** - Assess what metadata was exposed - Determine business impact (not data breach) - Notify affected teams about architecture exposure 2. **Connection Configuration** - Immediately rotate any exposed credentials - Audit connected system access logs - Verify read-only permissions maintained 3. **Lineage Information** - Assess business process exposure - Review competitive sensitivity - Update access controls ### Supply Chain Incidents 1. **Dependency Vulnerabilities** - Immediate assessment of exposure - Patch or workaround deployment - Update dependency management 2. **Connector Compromises** - Disable affected connectors - Audit ingestion logs - Verify metadata integrity ## Contact Information ### Security Team - **Email**: security@open-metadata.org - **GitHub Security**: https://github.com/open-metadata/OpenMetadata/security - **Incident Lead**: @harshach ### Escalation Path 1. Security Team 2. Incident Lead (@harshach) 3. OpenMetadata Maintainers 4. Collate (parent organization) if required ## Communication Templates ### Initial Response ``` Subject: Security Report Acknowledged - [TRACKING-ID] Thank you for reporting this security issue. We take all security reports seriously. We have assigned tracking ID [TRACKING-ID] to your report and will investigate immediately. Expected timeline: - Initial assessment: Within 72 hours - Resolution target: Within 30 days We will keep you updated on our progress. Please keep this issue confidential until we coordinate disclosure. Thank you for helping keep OpenMetadata secure. ``` ### Security Advisory Template ``` # Security Advisory: [CVE-ID] **Affected Component**: OpenMetadata [Component] **Severity**: [Critical/High/Medium/Low] **CVSS Score**: [Score] **Affected Versions**: [Versions] **Fixed Versions**: [Versions] ## Summary [Brief description] ## Impact [Detailed impact assessment] ## Mitigation [Steps to mitigate if patch cannot be immediately applied] ## Fix [How to upgrade/patch] ## Credit Discovered by [Reporter Name/Organization] ## References - [CVE Link] - [Additional References] ``` ## Security Disclosure Policy - We request 90 days to address reported vulnerabilities - We coordinate disclosure timing with reporters - We credit reporters unless anonymity is requested - We maintain a security acknowledgments page - We follow responsible disclosure practices ## Training & Preparedness ### Regular Activities - Quarterly incident response drills - Annual security training for maintainers - Regular dependency audits - Penetration testing (annually) ### Required Training - OWASP Top 10 awareness - Secure coding practices - Incident response procedures - Communication protocols ## References - [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories) - [CVE Process](https://cve.mitre.org/) - [FIRST PSIRT Framework](https://www.first.org/standards/frameworks/psirts/) - [NIST Incident Response Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) --- *Last Updated: 2025-01-28* *Version: 1.0* *Next Review: Quarterly*