|
| 1 | +# Thunderbird for Android — Incident Response Plan |
| 2 | + |
| 3 | +This template that will help guide you through the process of handling security incidents and investigations. |
| 4 | + |
| 5 | +There are 5 phases: |
| 6 | +1. Validation |
| 7 | +2. Mitigation |
| 8 | +3. Scoping |
| 9 | +4. Mitigation Notification |
| 10 | +5. Remediation |
| 11 | + |
| 12 | +Each phase should be completed before moving to the next. |
| 13 | + |
| 14 | +--- |
| 15 | + |
| 16 | +## Guidance |
| 17 | + |
| 18 | +- [Vulnerability Reporting Form](https://github.com/thunderbird/thunderbird-android/security/advisories/new) (see SECURITY.md) |
| 19 | + - Note: Vulnerability Reports include CVSS scoring calculator |
| 20 | +- The [CIA triad](https://www.energy.gov/femp/operational-technology-cybersecurity-energy-systems#cia) is used to evaluate security risks. Every vulnerability should be assessed against these principles: |
| 21 | + - Confidentiality |
| 22 | + - Keep data private and protected from unauthorized access |
| 23 | + - Example: Can the attacker read or exfiltrate email content, account settings, auth tokens, or attachment cache? |
| 24 | + - Integrity |
| 25 | + - Ensure data is accurate and not tampered with |
| 26 | + - Example: Can the attacker modify mailbox state, filters, server settings, or message contents rendered to the user? |
| 27 | + - Availability |
| 28 | + - Keep systems and data accessible when needed |
| 29 | + - Example: Can crafted content crash the app, deadlock sync, or brick startup (persistent DoS via mailbox state)? |
| 30 | + |
| 31 | +--- |
| 32 | + |
| 33 | +## Phase 1 - Validation |
| 34 | + |
| 35 | +### Updates |
| 36 | + |
| 37 | +_In this section, summarize the report, steps to recreate, mitigating factors, and potential impact._ |
| 38 | + |
| 39 | +_Example:_ |
| 40 | + |
| 41 | +_We received a report of a crash triggered by malformed S/MIME messages._ |
| 42 | +- _Verified on Android 15 with Thunderbird 13.0_ |
| 43 | +- _Requires custom-crafted email and user interaction_ |
| 44 | +- _See sample email link for recreation_ |
| 45 | +- _Potential Impact: Denial-of-service and possible memory corruption_ |
| 46 | + |
| 47 | +### Tasks |
| 48 | + |
| 49 | +- [ ] Understand the vulnerability |
| 50 | +- [ ] Update the vulnerability report with understanding |
| 51 | +- [ ] Determine severity based on CVSS scoring calculator |
| 52 | +- [ ] Decide if case will become an investigation. Either: |
| 53 | + - [ ] Dismiss report as not-actionable |
| 54 | + - [ ] Convert report to an investigation |
| 55 | + |
| 56 | +### Results |
| 57 | + |
| 58 | +- Is there a direct risk of CIA being broken? `Yes|No` |
| 59 | +- Which part of CIA could be broken? `Confidentiality|Integrity|Availability` |
| 60 | +- What user data is at risk? |
| 61 | +- What is required to exploit the vulnerability? |
| 62 | +- What is the severity? `Low|Moderate|High|Critical` |
| 63 | +- Vulnerability was introduced on: `YYYY-MM-DD` |
| 64 | +- Pull request where vulnerability was introduced? `<url>` |
| 65 | +- Versions of Thunderbird affected: `<#.#>, ...` |
| 66 | + |
| 67 | +--- |
| 68 | + |
| 69 | +## Phase 2 - Mitigation |
| 70 | + |
| 71 | +### Updates |
| 72 | + |
| 73 | +_In this section, note any blockers, challenges, or progress on mitigation. This phase is only necessary in circumstances where the remediation is not possible in a reasonable amount of time._ |
| 74 | + |
| 75 | +_Example:_ |
| 76 | +_We disabled the inline S/MIME rendering feature flag as a temporary mitigation. Root cause identified in MIME parsing logic._ |
| 77 | + |
| 78 | +### Tasks |
| 79 | + |
| 80 | +- [ ] Re-assess severity and update if necessary |
| 81 | +- [ ] Assess whether vulnerability also exists in other code paths |
| 82 | +- [ ] Update vulnerability report with mitigation |
| 83 | + |
| 84 | +### Results |
| 85 | + |
| 86 | +- The vulnerability required mitigation on: `Nightly|Beta|Release` |
| 87 | +- The vulnerability mitigated on: `YYYY-MM-DD` |
| 88 | +- The vulnerability mitigated on the following releases: `<#.#>, ...` |
| 89 | +- Link to mitigation work: `<url>` |
| 90 | + |
| 91 | +--- |
| 92 | + |
| 93 | +## Phase 3 - Scoping |
| 94 | + |
| 95 | +### Updates |
| 96 | + |
| 97 | +_In this section describe the scoping results. Interrogate data to determine if the vulnerability was exploited, and what the impact was._ |
| 98 | + |
| 99 | +_Example:_ |
| 100 | +_Crash telemetry indicates 1,200 users impacted on version 13. No evidence of public exploit in use._ |
| 101 | + |
| 102 | +### Tasks |
| 103 | + |
| 104 | +- [ ] Review available information sources (crash reports, GitHub issues, vulnerability reports, social networks, blogs, etc) |
| 105 | +- [ ] Determine if there was a confirmed breach in CIA |
| 106 | +- [ ] Confirm who was affected or might have been affected |
| 107 | + |
| 108 | +### Results |
| 109 | + |
| 110 | +- Scoping analysis link: `<url>` |
| 111 | +- Confidence in scoping completeness: `low|medium|high` |
| 112 | +- Was there a CIA breach? `Yes|No` |
| 113 | + - If yes, elaborate: |
| 114 | +- How many users were affected: `<#>` |
| 115 | +- All needed data available? `Yes|No` |
| 116 | + - If no, elaborate: |
| 117 | + |
| 118 | +--- |
| 119 | + |
| 120 | +## Phase 4 - Mitigation Notification |
| 121 | + |
| 122 | +### Updates |
| 123 | + |
| 124 | +_In this section describe the mitigation notification plans. This phase is only necessary in circumstances where the remediation is not possible in a reasonable amount of time._ |
| 125 | + |
| 126 | +_Example:_ |
| 127 | +_We will notify users with our findings on this vulnerability, provide instruction on what version contains the mitigation, and how to audit their device for exploitation._ |
| 128 | + |
| 129 | +_We will notify via:_ |
| 130 | +- _Release notes_ |
| 131 | +- _Thunderbird blog post (if high severity)_ |
| 132 | + |
| 133 | +### Tasks |
| 134 | + |
| 135 | +- [ ] Draft notification content |
| 136 | +- [ ] Internal FAQ + Support/Comms alert |
| 137 | +- [ ] Update GitHub and Play Store release notes |
| 138 | +- [ ] Optional blog post |
| 139 | + |
| 140 | +### Results |
| 141 | + |
| 142 | +- Notifications were sent/published on: `YYYY-MM-DD:HH-MM-SSZ` |
| 143 | +- Link to notification content? `<url>` |
| 144 | +- Is there a link to a blog/changelog that was published? `<url>` |
| 145 | + |
| 146 | +--- |
| 147 | + |
| 148 | +## Phase 5 - Remediation |
| 149 | + |
| 150 | +### Updates |
| 151 | + |
| 152 | +_In this section describe the remediation plans._ |
| 153 | + |
| 154 | +_Example:_ |
| 155 | +_We are providing a patch to the MIME parsing logic to fix the vulnerability. We will again notify users with our findings on this vulnerability, provide instruction on what version contains the mitigation, and how to audit their device for exploitation._ |
| 156 | + |
| 157 | +_We will notify via:_ |
| 158 | +- _CVE_ |
| 159 | +- _Thunderbird for Android Security Advisory_ |
| 160 | +- _Release notes_ |
| 161 | +- _Thunderbird blog post (if high severity)_ |
| 162 | + |
| 163 | +### Tasks |
| 164 | + |
| 165 | +- [ ] Request CVE assignment. Reach out to Mozilla Security Team Members Tom Ritter and Dan Veditz with [email protected] as the back-up. |
| 166 | +- [ ] Publish advisory to [Thunderbird for Android Security Advisories](https://github.com/thunderbird/thunderbird-android/security/advisories) |
| 167 | +- [ ] Update release notes |
| 168 | +- [ ] Optional blog post |
| 169 | + |
| 170 | +### Results |
| 171 | + |
| 172 | +- CVE and advisory were published on: `YYYY-MM-DD:HH-MM-SSZ` |
| 173 | +- Link to notification content? `<url>` |
| 174 | +- Is there a link to a blog/changelog that was published? `<url>` |
| 175 | + |
0 commit comments