OpenMetadata/INCIDENT_RESPONSE.md

OpenMetadata Incident Response Plan

This document outlines the incident response procedures for security issues in the OpenMetadata project.

Scope

This incident response plan covers:

• All code within the OpenMetadata organization repositories
• Security vulnerabilities in OpenMetadata services
• Metadata exposure incidents
• Supply chain security issues
• Infrastructure compromises

Incident Lead

Primary Incident Lead: @harshach

• Responsible for coordinating incident response
• Decision authority for security releases
• External communication coordination

Backup Incident Leads: @pmbrull, @mohityadav766, @tutte

Reporting Security Issues

How to Report

All security issues must be reported privately through one of these channels:

1. GitHub Security Advisories (Preferred)

   • Navigate to: https://github.com/open-metadata/OpenMetadata/security/advisories
   • Click "Report a vulnerability"
   • Provide detailed information

2. Email: security@open-metadata.org

   • Encrypt sensitive details using our PGP key (available on our website)

What to Include

• Detailed description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Affected versions
• Any proof-of-concept code (if applicable)

What NOT to Do

• DO NOT create public GitHub issues for security vulnerabilities
• DO NOT disclose vulnerabilities on public forums or social media
• DO NOT submit pull requests with security fixes without prior coordination

Response Timeline

• Initial Response: Within 24 hours
• Impact Assessment: Within 72 hours
• Resolution Target: Within 30 days for critical issues
• Public Disclosure: Coordinated after fix is available

Incident Response Phases

Phase 1: Detection & Initial Response (0-24 hours)

1. Acknowledge Receipt

   • Send confirmation to reporter
   • Assign tracking identifier
   • Engage incident lead (@harshach)

2. Initial Assessment

   • Verify the vulnerability
   • Determine severity using CVSS scoring
   • Identify affected versions
   • Check if actively exploited

3. Immediate Containment (if critical)

   • Disable affected features if possible
   • Notify cloud service providers if applicable
   • Revoke compromised credentials

Phase 2: Investigation & Coordination (24-72 hours)

1. Form Response Team

   • Incident Lead: @harshach
   • Security Engineer(s)
   • Affected component maintainer(s)
   • Communications coordinator

2. Deep Investigation

   • Root cause analysis
   • Full impact assessment
   • Check for similar vulnerabilities
   • Review logs for exploitation attempts

3. Develop Fix

   • Create patches for supported versions
   • Develop test cases
   • Security review of proposed fix

Phase 3: Mitigation & Remediation

1. Prepare Releases

   • Patch all supported versions
   • Update documentation
   • Prepare security advisory

2. Coordinate Disclosure

   • Notify major users under embargo (if applicable)
   • Request CVE assignment
   • Coordinate disclosure date with reporter

3. Deploy Fixes

   • Release patched versions
   • Update Docker images
   • Update Helm charts
   • Deploy to cloud services

Phase 4: Communication

1. Internal Communication

   • Update internal teams
   • Brief support teams
   • Update runbooks

2. External Communication

   • Publish security advisory
   • Update security page
   • Send notifications to mailing list
   • Social media announcements (if critical)

3. Credit & Acknowledgment

   • Credit reporter (unless anonymity requested)
   • Update security acknowledgments page

Phase 5: Post-Incident Review

1. Incident Review (Within 1 week)

   • Timeline review
   • Response effectiveness
   • Lessons learned
   • Process improvements

2. Security Improvements

   • Update security practices
   • Enhance testing procedures
   • Update threat model
   • Security training needs

3. Documentation Updates

   • Update incident response plan
   • Update security documentation
   • Share learnings with community

Severity Levels

Critical (CVSS 9.0-10.0)

• Complete system compromise
• Unauthorized access to all metadata
• Remote code execution
• Authentication bypass
• Response Time: Immediate, fix within 24-48 hours

High (CVSS 7.0-8.9)

• Significant metadata exposure
• Privilege escalation
• Connection credential exposure
• Response Time: Within 7 days

Medium (CVSS 4.0-6.9)

• Limited metadata exposure
• Denial of service
• Information disclosure
• Response Time: Within 30 days

Low (CVSS 0.1-3.9)

• Minor information leakage
• Difficult to exploit issues
• Response Time: Next regular release

Special Considerations for OpenMetadata

Metadata-Specific Incidents

Since OpenMetadata handles only metadata, not actual data:

1. Metadata Exposure

   • Assess what metadata was exposed
   • Determine business impact (not data breach)
   • Notify affected teams about architecture exposure

2. Connection Configuration

   • Immediately rotate any exposed credentials
   • Audit connected system access logs
   • Verify read-only permissions maintained

3. Lineage Information

   • Assess business process exposure
   • Review competitive sensitivity
   • Update access controls

Supply Chain Incidents

1. Dependency Vulnerabilities

   • Immediate assessment of exposure
   • Patch or workaround deployment
   • Update dependency management

2. Connector Compromises

   • Disable affected connectors
   • Audit ingestion logs
   • Verify metadata integrity

Contact Information

Security Team

• Email: security@open-metadata.org
• GitHub Security: https://github.com/open-metadata/OpenMetadata/security
• Incident Lead: @harshach

Escalation Path

1. Security Team
2. Incident Lead (@harshach)
3. OpenMetadata Maintainers
4. Collate (parent organization) if required

Communication Templates

Initial Response

Subject: Security Report Acknowledged - [TRACKING-ID]

Thank you for reporting this security issue. We take all security reports seriously.

We have assigned tracking ID [TRACKING-ID] to your report and will investigate immediately.

Expected timeline:
- Initial assessment: Within 72 hours
- Resolution target: Within 30 days

We will keep you updated on our progress. Please keep this issue confidential until we coordinate disclosure.

Thank you for helping keep OpenMetadata secure.

Security Advisory Template

# Security Advisory: [CVE-ID]

**Affected Component**: OpenMetadata [Component]
**Severity**: [Critical/High/Medium/Low]
**CVSS Score**: [Score]
**Affected Versions**: [Versions]
**Fixed Versions**: [Versions]

## Summary
[Brief description]

## Impact
[Detailed impact assessment]

## Mitigation
[Steps to mitigate if patch cannot be immediately applied]

## Fix
[How to upgrade/patch]

## Credit
Discovered by [Reporter Name/Organization]

## References
- [CVE Link]
- [Additional References]

Security Disclosure Policy

• We request 90 days to address reported vulnerabilities
• We coordinate disclosure timing with reporters
• We credit reporters unless anonymity is requested
• We maintain a security acknowledgments page
• We follow responsible disclosure practices

Training & Preparedness

Regular Activities

• Quarterly incident response drills
• Annual security training for maintainers
• Regular dependency audits
• Penetration testing (annually)

Required Training

• OWASP Top 10 awareness
• Secure coding practices
• Incident response procedures
• Communication protocols

References

• GitHub Security Advisories
• CVE Process
• FIRST PSIRT Framework
• NIST Incident Response Guide

---

Last Updated: 2025-01-28 Version: 1.0 Next Review: Quarterly