From 32bdf9294ceddd09c70f9f63c11a28de679f04ef Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 25 Jun 2024 22:00:07 -0700 Subject: [PATCH 1/4] Added maintainer guide as part of #1260 Signed-off-by: Eddie Knight --- project-resources/security-hygiene-guide.md | 240 ++++++++++++++++++++ 1 file changed, 240 insertions(+) create mode 100644 project-resources/security-hygiene-guide.md diff --git a/project-resources/security-hygiene-guide.md b/project-resources/security-hygiene-guide.md new file mode 100644 index 000000000..5758bcfc3 --- /dev/null +++ b/project-resources/security-hygiene-guide.md @@ -0,0 +1,240 @@ +# Security Hygiene Guide for Project Maintainers + +> [!NOTE] +> This guide is under revision as part of [#1260](https://github.com/cncf/tag-security/issues/1260). It's contents are accurate, but are expected to be adapted or extended. + +## Introduction + +Tackling security requirements can be a daunting task, especially in the Cloud Native landscape. There are several resources available to assist the community in their security journey, such as the resources and publications by the CNCF Technical Advisory Group for Security, OpenSSF Best Practices Working Group, and many others. + +Security Guidelines for New Projects aims to provide recommendations for new projects to ensure they follow the minimum measures to secure their projects and build incrementally as their maturity grows. These security guidelines can be grouped into the following categories: + +1. Securing code repositories +2. Self assessment +3. SECURITY.md +4. Incident management +5. Badging + +![](../images/SecurityGuidelines.png) + +**Figure 1**. An overview of security guidelines for new projects + +These guidelines are heavily influenced by the contributions of the CNCF Technical Advisory Group for Security, particularly the Cloud Native Security Whitepaper[[1]] and Software Supply Chain Security Best Practices Whitepaper[[2]] and the tooling for these guidelines can be referred to in the CNCF Cloud Native Security Map[[3]]. + +**Note** + +This paper refers to GitHub as the source code management repository due to its popularity in the Open Source ecosystem, however the same guidelines are applicable to any other source code management service as well. + +## Goals + +This guide aims to outline the minimal security measures for sandbox or early maturity CNCF projects to ensure security measures are included as early as possible for the development and source code management of the project while increasing their awareness of resources to iteratively build secure practices as they enhance the maturity of the project. + +## 1. Securing Code Repository + +The foundation of a project is its source code and it is essential to ensure the integrity of the source code. Source code repositories such as GitHub allow contributions from numerous members from all across the world in a single repository which is a boon in itself, however if not leveraged securely, it can be a bane. The key to doing so is protecting the repository where the source code lies and introducing changes to the repository in a controlled and secure manner. + +This section outlines several measures that can be taken to ensure authorized members have access to the code repository, changes are suggested, suggested changes are reviewed, and changes are introduced to the repository in a secure and controlled manner. + +It should be noted that secure device management is assumed - if you have a remote access trojan on your laptop, many of these countermeasures are subverted. + +## 1.1 Access management + +### Enable Role Based Access Control (RBAC) + +Define roles and associated access controls based upon the different personas interacting with the code repositories. The roles should be assigned following least privilege on a need-to know basis based on their assigned responsibilities. For example, GitHub provides roles such as Owner, Maintainer, Developer, Reviewer, Approver, and Guest. Each role should then be given fine-grained permissions with regards to repository access control. + +### Strong Authentication mechanisms + +Strong authentication mechanisms are key to ensure accounts are not susceptible to several attacks including but not limited to account takeover. We highly recommend the use of password-protected SSH keys or a personal access token (PAT). + +However, for certain non-code intensive projects which specifically require accommodation that cannot be made possible using recommended methods (such as access to Github.com via browser), we recommend the use of unique and complex passwords (complexity in terms of a combination of alphanumeric, special characters as well as length). For details regarding configuring an authentication mechanism for GitHub, please refer to GitHub's documentation [GitHub Docs - About authentication to GitHub](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github). + +### Two Factor Authentication/Multi-factor Authentication + +Introducing an additional factor such as "something you have" or "somewhere you are" in the authentication process proves to be of higher effectiveness than relying on one factor "something you know" such as passwords. It is required to configure two factor or multi-factor authentication for your accounts, especially for any privileged accounts. For details regarding configuring a 2FA for GitHub, please refer to GitHub's documentation [GitHub Docs - Securing your account with two-factor authentication (2FA)](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa). + +## 1.2 Branch protection + +Branches in a source code repository provide a constrained area to develop features without affecting the other areas of the project. There will be certain branches which ought to be protected from unintended changes which impair code integrity. This is where branch protection helps. + +Branch protection provides functionality that allows a policy based approach to protecting particular branches. Policies such as who can make changes to certain branches, whether push/force push are permitted, merges with/without certain checks are permitted, whether delete operations are permitted and so on should be reviewed and configured based on the requirements of the project. For details regarding configuring protected branches for GitHub, please refer to GitHub's documentation [GitHub Docs - About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches). + +We recommend that any change to the repository should be introduced as part of a pull request and should go through a review process prior to merging. At least two individuals, of which one should have write access to the branch (preferably maintainers), and both of whom are independent of the request must review and approve the request and then the change is to be merged to the project. For projects with small teams where requiring two reviewers is not feasible, it is sufficient to require only a single reviewer. For projects that have a large codebase, the implementation of Code Owners (e.g. via GitHub CODEOWNERS file) is recommended to automatically request reviews to maintainers that are responsible for specific sub-modules or features. For details regarding pull request reviews for GitHub, please refer to GitHub's documentation [GitHub Docs - About pull request reviews](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews) + +## 1.3 Managing Contributions + +### Issue template + +Any ideas, bugs or enhancement suggestions reported to the project need to be tracked, and can then be discussed, triaged and prioritized/de-prioritized for implementation. GitHub Issues are one such avenue that allows tracking and managing ideas until they are brought to fruition. We recommend the following template for proposing changes to the project [CNCF TAG Security Project Resouces - Issue Template](https://github.com/cncf/tag-security/blob/main/project-resources/templates/ISSUE_TEMPLATE.md). + +### Commit signing + +Any code committed to the source code repository associated with the project is recommended to be signed to help ensure the integrity of the code and establish identity of the author(s). Git inspired SCMs like [Github](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits), [Gitlab](https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/), and [Bitbucket](https://confluence.atlassian.com/bitbucketserver/using-gpg-keys-913477014.html) all provide different mechanisms to sign & enforce git commits. + +As the security maturity increases, it is a recommended security practice to store the private signing keys on a hardware token (HSMs or YubiKeys) and the adoption of secure key distribution method(s) is encouraged. + +### Secret scanning (recommended) + +It is critical to ensure no sensitive information is exposed as part of the source code, the documentation or any configuration in the source code repository. It may sometimes accidentally escape even the vigilant eyes of the contributor and reviewers, hence we recommend automating this activity and implementing secret scanning as part of the continuous integration process in the source code repository. + +There are several tools and projects aimed at providing secret scanning services, including but not limited to the ones mentioned in the section "Develop" of the Cloud Native Security Map[[3]]. GitHub also provides its own secret scanning service, you can find more details of this service at [GitHub Docs - Keeping secrets secure with secret scanning](https://docs.github.com/en/code-security/secret-scanning) + +### Code scanning (recommended) + +Code scanning is an automated security test to identify vulnerabilities and errors in the source code without actually compiling or executing the code. This is a key testing strategy to shift security testing left and we recommend configuring code scanning and utilizing its insights in your projects. There are several tools (both commercial and open source) available to perform the code scanning or an array of languages and technologies. GitHub also provides code scanning functionalities, which can be seen in their documentation - [GitHub Docs - Automatically scanning your code for vulnerabilities and errors](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors). + +In addition to scanning your code for identifying vulnerabilities and errors, managing the vulnerabilities dependencies is also important. [Dependabot](https://github.com/dependabot) is one tool that helps in managing vulnerabilities in dependencies by automatically raising a pull request to update vulnerable versions to secure versions of that dependency. These pull requests can be then analyzed, and further action can be taken. Further details of Dependabot and configuring it in your project code repository can be found at [GitHub Docs - Automatically updating dependencies with known vulnerabilities with Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates). + +For further information on securing the code repository, we recommend reviewing the **GitOps section** of the [CNCF Cloud Native Security Whitepaper](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#gitopsnew-in-v2) and the **Control Environments** sections of the [CNCF Software Supply Chain Best Practices paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) + +## 2. Self-assessment + +CNCF Technical Advisory Group for Security states that the self-assessment is the initial document for projects to begin thinking about the security of their project, determining gaps in their security, and preparing any security documentation for their users. + +A security self-assessment is a great start for a new project to think ahead about the security measures that are important for the project, and also to understand the gaps in the current implementation in a proactive manner, and plan for mitigating them. + +Self-assessment dives into the following aspects of the project to understand the current maturity and the gaps in security implementation or the documentation aspects. + +1. Background and overview of the project +2. Project architecture +3. Project metadata +4. Goals and Non-goals +5. Actors and Actions +6. Compliance and Regulatory requirements +7. Secure development practices +8. Resolving security issues + +A template to perform the self assessment is available at [CNCF TAG Security Project Resouces - Self-assessment](https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md). All the assessments (self-assessment and joint assessment) conducted by TAG Security can be found at TAG Security GitHub repository. As an example, self assessments are available within the dedicated project folders at [Assessments folder of the CNCF TAG Security GitHub repository](https://github.com/cncf/tag-security/tree/main/assessments/projects). Further sections (SECURITY.md in particular) in this document provide some of the pointers to address the gaps and create the necessary process & documentation. + +## 3. SECURITY.md + +Awareness and processes are a big part of enforcing security in any project. A SECURITY.md file in your repository should talk about the security considerations of the project, and the efforts undertaken to ensure that there are policies and processes in place to report vulnerabilities to the project maintainers, and for project maintainers to notify the community of the status of the vulnerabilities. It should also list the dedicated personnel responsible to address these vulnerabilities in a timely manner. In GitHub, the SECURITY.md file creates a security policy, and when someone creates an issue in your repository, they will see a link to your project's security policy. Further information regarding security policy is available at [GitHub Docs - Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository). + +CNCF Technical Advisory Group for Security maintains a number of templates to assist projects in addressing these sections, which can be found at [CNCF TAG Security GitHub repository, under Project Resouces folder](https://github.com/cncf/tag-security/tree/main/project-resources). A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on. + +Disclaimer: These resources are designed to be helpful to projects and organizations, they require customization and configuration by the project intending to use them. It does not prevent security issues from being found in a project, will not automatically resolve them, and does not place CNCF Security TAG as the responsible party. If changes are made to these templates, projects are not required to pull in a new update. + +## 3.1 Security considerations + +This document is an outcome of the self-assessment which articulates all the measures taken in the project to tackle the security goals of the project, including but not limited to ensuring its confidentiality, integrity and availability - as well as compliance with any laws or regulations. This may also be the place for security bulletins and to list out the known vulnerabilities and patches available to mitigate them. + +## 3.2 Security contacts + +This document states who are the personnel to reach out to in case of any security questions regarding the project, including but not limited to the triaging and handling of incoming security issues or security reports. Security contacts could be external participants and are not limited to being the maintainers of the projects. A template for this document is available at [CNCF TAG Security Project Resouces - Security Contacts](https://github.com/cncf/tag-security/blob/main/project-resources/templates/SECURITY_CONTACTS.md) + +**NOTE** + +CNCF could help create a mailing address (through service desk ticket) should projects need one to assist with managing their security reporting or reporting. + +## 3.3 Report vulnerabilities + +Vulnerabilities are sensitive information and exposure of information regarding vulnerabilities without the availability of a patch generates unintended risk for all the consumers of this project, hence it should be handled with caution. + +At a minimum, the vulnerability reporting policy projects should include is as follows, A template for this document is available at [CNCF TAG Security Project Resouces - Reporting a Vulnerability](https://github.com/cncf/tag-security/blob/main/project-resources/templates/SECURITY.md#reporting-a-vulnerability): + +1. The medium to report vulnerabilities - Email, Web form etc. +2. Disclosure timeline +3. Point of contact or mailbox (if any) +4. Bug bounty programs (if any) + +In addition to the vulnerability reporting policy, the defined process or co-ordinate the disclosure in a secure manner is highly recommended. There are several methods to accomplish this including encrypting vulnerability reports with GPG keys among others, and projects could leverage them based on their need. + +GitHub provides an easy to use, established platform to coordinate the vulnerability disclosure between the maintainers and the reporter in a private manner. Further information on the coordinated disclosure of security vulnerabilities in Github is available at [GitHub Docs - About coordinated disclosure of security vulnerabilities](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities). + +## 3.4 Embargo Policy + +The vulnerabilities reported to the project are then handled by the security point of contact(s) and the rest of the stakeholders of the project. It is important to define a policy the stakeholders need to abide by in order to restrict the unauthorized disclosure of vulnerabilities. An Embargo policy is created for this purpose and at a minimum it should include: + +1. The stakeholders - security contacts, project maintainers and any others +2. What is covered under this policy +3. What is unacceptable or acceptable behavior +4. Medium to report violations of the policy (accidental or otherwise) +5. The consequences of any violations +6. Disclosure timeline + +A template for this document is available at [CNCF TAG Security Project Resouces - Embargo Policy](https://github.com/cncf/tag-security/blob/main/project-resources/templates/embargo-policy.md) + +## 3.5 Security notifications + +The vulnerabilities may need to be reported to certain stakeholders, and for this purpose, an embargo notification template can be utilized. The embargo notification at the minimum should include the information stated below: + +1. Purpose of the notification +2. Summary of the notification +3. Vulnerability name along with Common Vulnerability Enumeration (CVE), if any +4. Affected versions of the project +5. Severity of the vulnerability +6. Proof of Concept +7. Mitigation or Remediation for the vulnerability along with the fixed versions +8. Timeline of events associated with this notification +9. Any additional information relevant for this notification + +A template for this notification is available at [CNCF TAG Security Project Resouces - Embargo](https://github.com/cncf/tag-security/blob/main/project-resources/templates/embargo.md) + +## 4. Incident Response + +Incident response defines the processes that aid in solving a security issue. This issue may be an internal finding or one that was reported by an external party, in which case it includes the processes between the vulnerability reporting and embargo notification. + +Incidence response primarily states how the vulnerability is triaged, replicated, and notified. The incident response process should include the following at a minimum: + +1. Identification of the security issue or an incident + 1. What are the affected components? + 2. What type of an issue is it? + 3. How complex is this issue? + 4. How severe is the impact? + 5. What use of interaction and privilege is needed? + 6. Is there an exploit available? +2. Acknowledge the receipt of this problem +3. How can the issue be reproduced or replicated? + 1. If a CVE is already present, request the CVE +4. Patch publication and Notification + +In addition to the above, you could also consider adding relevant timelines, including but not limited to third party disclosure timelines. A template for the incident management process is available at [CNCF TAG Security Project Resouces - Incident Response](https://github.com/cncf/tag-security/blob/main/project-resources/templates/incident-response.md) + +## 5. OpenSSF best practices badging + +The [Open Source Security Foundation (OpenSSF)](https://openssf.org/) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices[[5]]. This initiative allows projects to voluntarily self-certify, at no cost, by using their web application[[5]] to explain how they follow each best practice. These badges are a great way to showcase the efforts towards securing the project. + +The criteria of best practices badging is defined at [Badging Criteria - BadgeApp](https://bestpractices.coreinfrastructure.org/en/criteria/0). We recommend that all projects obtain a best practices badge and that projects determine the desired badging level early in the development cycle and include it in the project milestones, to ensure efforts towards security as accounted for, managed and tracked. As adoption increases and the project becomes more critical, also consider increasing the badging level. As an example of defining this activity, you could consider passing a bronze/silver badging level prior to the "x" release of the project and aim to attain gold badging level within a defined timeframe. + +## 6. OpenSSF Security Scorecards + +The [OpenSSF Scorecards](https://securityscorecards.dev/) project helps quickly assess your project for risky practices. You can run the tool via the CLI manually or integrate it into your build [via a GitHub Action](https://securityscorecards.dev/#using-the-github-action). There are a variety of checks that are executed by default and the tool is even extensible to allow you to add your own checks. The CNCF highly recommends that projects enable this tool by default and it is integrated into CNCF onboarding tools such as [CLOMonitor](https://clomonitor.io/) or external tools such as deps.dev and more. + +## References + +1. [CNCF Cloud Native Security Whitepaper][1] +2. [CNCF Software Supply Chain Best Practices Whitepaper][2] +3. [CNCF Cloud Native Security Map][3] +4. [OpenSSF Badge program][4] +5. [CNCF TAG Security Publications][5] +6. [OpenSSF Scorecards][6] +7. [CLOMonitor][7] + +## Contributors + +- Ragashree M C +- Chris Aniszczyk + +## Reviewers + +- Andrew Martin (CNCF TAG Security Co-Chair) +- Brandon Lum (CNCF TAG Security Co-Chair) +- Emily Fox (CNCF TOC Security Liaison) +- Justin Cormack (CNCF TOC Security Liaison) +- Faisal Razzak +- Justin Cappos +- Marco De Benedictis +- Sergey Pronin +- Shlomo Zalman Heigh + +## Acknowledgements + +This paper is influenced by the publications of CNCF Technical Advisory Group for Security, particularly the Cloud Native Security Whitepaper[[1]] and Software Supply Chain Security Best Practices Whitepaper,[[2]] and CNCF Cloud Native Security Map[[3]], programs and initiatives by OpenSSF[[4]] [[6]]. Our sincere gratitude for the contributors of these programs and publications, and to Emily Fox for suggesting the creation of this paper, to the contributors and reviewers of this paper. + +[1]: https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md +[2]: https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf +[3]: https://cnsmap.github.io/ +[4]: https://bestpractices.coreinfrastructure.org/en +[5]: https://github.com/cncf/tag-security/blob/main/PUBLICATIONS.md +[6]: https://securityscorecards.dev/ +[7]: https://clomonitor.io/ From 069eb66973acbd563f1957ca7ae399c804ace42d Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 25 Jun 2024 22:29:09 -0700 Subject: [PATCH 2/4] Added guidelines image to project resources Signed-off-by: Eddie Knight --- project-resources/SecurityGuidelines.png | Bin 0 -> 38180 bytes project-resources/security-hygiene-guide.md | 8 ++++---- 2 files changed, 4 insertions(+), 4 deletions(-) create mode 100644 project-resources/SecurityGuidelines.png diff --git a/project-resources/SecurityGuidelines.png b/project-resources/SecurityGuidelines.png new file mode 100644 index 0000000000000000000000000000000000000000..bbe8bca6286f92b6e3a98741fcb0a91ab984d989 GIT binary patch literal 38180 zcmeEs^LM39@Mkcw?POwG6Wg{uvF&6gwv8LxHYWCsZQJJN{qB!@_Al72bMCq4_R~*y z;ZxOBbvs;9UIGCY7ZwBr1VKttR2c*W90&peDg+JwJ>utJ>+t;r>Z~jw3{pLXfAam~ zhq;iP5C}+JEZn;h#P@6vMOjs`@A3an|6c?D&uXB7=|1dR_%9b_c@+>)Fz_D`kWkPt zuyF7Qh)BpNsA%XIm{{02xOn&kghW4yNl3}aDJZF^X=v%_85o(ESya`UV-$A+ARux1Qldht9{LyA5SprTSi?XHx{VF;h|;jq<-gd=8_OHt^lFSnv7BF6 z80M0iBpC)qlOM*twce4Mgz7f)^l^FRxt#6&WLL}cmF{ddl?96Xe^5pb1cj@Dh{)ZQ z_=NG{CFvT)s7h#0xbX1k8j_99W(ap-UfxS!ZOHnICNfsm^~Yu9&F*|#dqKxULn#w8 z-KWS<0JC11GaDP5KXkUUL4bxU>%2uha-PD|nzH%X*vR!&?2#spHIA!;kigdET%P>g z^z=JSM(2o5o^(oDvj}DP=&@YN8ML*@r?a)C--^ds?S(-<-3!!zD}qcO;rN!32sQk1 zS68h=bZGYD$`wqOg8W_BSQ7C)AsXRH*p8@tWcVkycs9-ARA+v+YFW^uz3|zm%eSO| zS$5ZO%To{at?IV>3l`91Zc9g|%aWlll&W#F5)ad?tvNhnSRYE9roFA&z z!4Eat^OcbxAjlQWa=D|Zz2SwH;G`sm6zd6f)2xCDjr8GqRshNTpYti$(P%^bj!7qHB za#0bHxv;SHTNgN6a59S&|nJ6j-fj~8SSS747Wic1ySQYaB7!5i)W{|e`X%< zTVo~K_jS|O%;ULC9ur`m24V8L)7K zqFQElzsY!##hS!T_1FE47;a|=D#_qp9TuGWhA48eF&;$9MF7`zq-rf3@p579O7UL9%M!CLYMDt6;?nvo!8%V zlvUd}8tdJR&UkqzvbZ4)fwarOA1h(w^UVL*wSV*ZL`vW@7rSO5-sepk(ea_Qdx9)Xt9v8$-khNgngjA_=r`4%Ll zx8ldkp8eCa&Z`00RIvXMI3((9&k|`9-DeVbqvye0atU+u;$;T7A#&vAzFG@CKax?$ zLM`i0A_2z5{?7)dHHZOemNj{cwn>JwPwkXCz*4as zGNO{aJWHEpJ-fr$;xQ1486)ts_TXggRX@YyOS)yn_9PM7pMD@n`y~G%=N%L~qj}0; zE4m~GnvNtQV2KSQFUCrg;?QNdAzch=-1N?d;GW!2XqYO0tN43eRkHR=naNn15#43| zOh&_Iuv#kzMWgj6ST#O>E_9jde6YWh(I z^Q5@=LaZHldFT_{=IgX|*+qHr!H>zGSupn^`OB+LHnY7NcRnQugEy;U>qB@ISor1! z<#xsAx3agfbW|bNP6+quW-h4LvYeZjhXN9q9of$jAD?YZfcbGpM#oQ2-S=?|Y3hVru)`sYg}&)*T8-m9qX*K?M8E z`pKPUx#nMnt3div;|HcA-&U=IN1Shu4-ma|^Wv%RO+>E2h4~C?dY{{;_?-vlbO{qO zz}K>Beizze{;nyw`Hcu@l!|=Mf$Y_*k! zY-Z#Q!U~~%yBFw{sJ`8&3#I8vz1MwXQ*M_?Bm5<_ZD1oj$w1Z&r)7;7q(9Ae-cik> z2$eV|c371ozwwOL|+OvjePenxQPRi$BUkk@$cYg=g+l6z{#)EQLX z*mCi;Tq)f5`KCr##1g+dfpr6ReCP;B#6?JT#eFF_<7wyadTn^kD3HeMXgb)t>F1o+L^ZTPrsgc%a)55CvYbUnlUlAoad8n56{3_*;(~tZ2j1h2 z2D4{7=^aJI_oE~2?p$iV$gXEo`!?{MfqUmNz#2K3%YggFojQm;Y5iWPtBM!kbtZxL zJ5fMEjrxe+f2>UcXcZU;P!tyoUWJZ;OA^v7%bM*K-%oTtbt(&nhjrmO3WWo_MWImt zQAhRLJ8Dd5YdL5~|B^ZJRJ;`2jR^@6*K{E08g)fY0u1Kl6A$>t0{5rbD$86O}oI_2+K94{h62+tequ0nm)_wZMAdY zbiyMw<#uB&}9bP#{j>rP;mv z>yA`SO@1B&?wRaj>QIrIrT4#Qm8`=+4n^)tH6PkerSoUj)|3TjoB>NIl|= zO>!+aIio#E|5H|E4q6hii*@x^K_`HAZl{0R?8#gmYjdGJ+DFopPh;q(Enkg*(fogr z01uD?5X&4TvYNj;+AvEIUsWR?Iy&a$WIE4LP6Qy#*|E)WTInBEnSV#BQ@M`b_ZIt} z_r@Z`iawIJqqp;Q&i=Cg+v8UB{UcvtJnQKOKkPB!B#^wM_`k>|eUt^&oM<~d{~OsE zQZ~cJ8$_-Ial8Nzjo05szOKh*FIaDAN@LSJ|B`q`mFDk{`Z9=@fybxIhc>HoSPWIMKTYu9` zHSf_R+E0Mt#py+b zLQc+u>b0==WHQ6K3+JJblcvr;Q)x+!FN^rjVLq{0_g(t z9Hz39^)_PZSFXo*rTs(BhjL zf#GTVN}Y))bX$Cc;iWb)`Rc3FsYks%;V=JZ)C)KzUP|75ux@v{brK3VNO7eMa4-^S#clR^bq zzq#l&v?#d<<=%BcxiE@g$lLgfMBD+Iz&3PCo*E1?{G2b<(OuYs{7q9m-#B zFpYq(U&hJ_KBA>)(SKh~Dr2v@bFXq(whj&!Wj~Jw5OC+`f?&tDm!7-SR(ejgRFY}f zSP~NT5(5;15A?ITN2mpe4}2Fl0Q01MMOy1L<*ImYH{WYAg`D97_(?p@U0kb4T$PuZ z%=S$;b@@%ZoS9cS?aU@8(pvg2tR2ix)B8kkR-z4l=mi7T#O(8=qa%y^kB(9aDMFBj zOb_qP-DqP6F{kzg$aFIXtBRzX98(tWh=zXUPCx9JBtUJ7#YB@G!))<#qdq05DD$1x z1|@NFu#ZO3z@gNs9p}TVG3;pYwM59D%VXeS%s@dj{Qk3&591p46~*U7{~{rLz&OV$ zqb;W+p_d{;@QH(sN~6u40UK>Oy9jZZ+_K2Bi^^LamR6XyTiF*p@3}Ke#w?jggZSnI zki)RHqYxKvoJ>6tqM%*4{lJ(2>tFZ%euBT=&fUbd!olU$?-8ANvqHQCeOhYQmcSe6tU2=fx z7h=Pd$6x_JPr-wse5DJxXI1xSI3MvyO}s;!m>cG_d(EGGo~TFaIKOlJ8g>nV=MI_)de_Z&6^nGwI&}wJjMBc293lpcFoKXU;*PO)j&m@S17EF2DK6aDnKQ389?oL__S;6U0BNKTZTTttBVdN<6k zi>S;he}R8eU=T%%QtEn|kxv87CHEpc*uwDm^3j`0ZFv4`t{`)xC({nnH`DN5mceb# z-*R6T865mPRWq-nrtl7Zx+@;!TJKUVNxe^}23D5Ptj}>zqXs6!hSvdaG6daiV3ocr z7R3_Y-kAiplEnQ0)Vr-_+r%~w)vcLaYu5NZUQPBTV60fT==V^2$TQJ!M*@j*H$`TQ zhBiy3Vc;{_@6Muv6YZg%6^hIT zYhLzL7N4~u%$`&p;7Zc^`&p2BA6|_{gu74`xWSJIS|?KaT)(|>Y$+DYbJqAv-$zoV zL+w@WluTkyaZ3_K105Xv12rn?rKv-?e@dfctp^736zyxQ!|9NB(^EaG9q>yq zywqDSL_V?Pv2DoI)3!k$<~kFLHyRg_?IC;p+KD0}M;ioufe{l0CD z@EdY6BGOR(d1F?d_$4+(ye(CBD3{G*3+b{gbnlHz7jRf>$7hVHmgJ5P=OED zW}85q2fG$s5A)qZBvVeK8o=lLvU=ccz@Su;^rYYI;YkCesri!PWgSOA{VOii~RN1sR+%>Gkg{y(Luj0@ZI!i-x9&xk>DVenE11gtf3vvxI~K2n#Ev(kO88 z$^3`86Sn=@x9!A5jy(Lsq=$1C7kaA5Jh`Gs-@wu$wK3m33-M`aapd{PV-t`>1BF`L}f;-4^>Lt91(lkxXu|BSQ;;Y(DN zkLL07q}g}nJzv9QGUSfB#5^SEy=EjCktdw+<#8kC*Xf%r=T{VyqHNXpb90)n{Ag12 zb-bIeqUX8oBCQNl%$g7ZJI(O(BgdVPA;w0m(5K(69}#N4z-=VJb0Js`P8S%0;uG&v z55}Z_{ub@88nfL*0beV*L-ZTQ90Q>K^XnkeA+wBq?}YMGiECCtEBtRMpR0>vm`Gxe zvOJKzpXbJTJgc)JVVZMk=?^#MkJDcU3pm+@(tQ$K@38D4I%8qydAaC5)iV-|j$h|l zR-)^8zwv*@()QK)%MTSGjU(-9#oUJ?$F_o+02%V+t?Y7*WRo4OSZ*6Ot`eRRv&2MBNR7&$5;?f#CKVBa)Q_ptlAI}U5 z=MEm|wx4-PUW)*k9F+z=M$RT57OWA&iBEy75{XaAnzB`Cy4sot{a|?s00e{I55*D5 zD2)K`eI?vB8HCXcx#P;gJ}|~lQGdDy%P%( z<6)ibSI4TOALyCZK4cNHOLslEYJAna>4?O2nTZEh>5{mD)#Znbs{z|z?m6svIiT@y z_$H3Y!(?U#D$2KyV4iV=jbU>b_HF}MdM|h_dUHAUOVS=60^*ix9N;rE)6&@Ng=J%1 zso#szHDvfe9moTY$&+qepU1?tIkELBv_I%uwQuFN9qHs9k7|2<~?AR6VT>KUELbHN7 zrax(2XIZa2Zq#RUk5i9Gb-7aK8ZPh7Cs6AH*Z%PGPf-MFL3a7iru|zZy@gUPQWota zaIBKT*n~HC9eLS0JacjMN}l-_7zr8wl;F5D;%%gue>BR~P*;~N<%z2tgHtmnJ@Sh< z=$YwIN}34TQ>oZ)A#9_NLF5>aTQsmL(ZwRn%w98*rQ4pxnxpw^S#n+sxLzR86919! z3Q+Vl4`AVwiO%Bd3R*G25d1xIe$wELYWB$BQot-iZ?1vTxx4%CZ_!F$G<7BHVYQFn zXAlgIntFnk=R1&_S;1ouj@(PV=g}w-n5q98=dEVW-JaHTi>kgGS{*2tPv!eFNyP*e z2HXlAKaup<(Qm`yG#TYpb&rK%5#^L+qHYLpw>l6Y_E=zB*s@BibL>=|_*LoM%2Zm2 z%MNz7>yH5F#H0al#)-zK6`Vd#u3&Jq2Q-E7Rzr_71jtU$@E*orLmEkcn72iis!pkq zX!0r0WuCcKG5@QuDT|DpwgT-S=pQrd3bcx%GL_3WD`OVgS6HOFewa|5R;+@x#h^R# z4cp?;G3`b^Rm7Ic9_q&~P^lM(n-r-0v1f5zv$(PIOAb5jlM-y;@Fz=>%6_mn#!2&n zGB6?LELWG<%#RiiDRE8huC`n7VS)y(zLMT!iz%obIqxmNc4--^Y)Oo&B}5eKM=KuP z&K@IT=JfWN){d-)1xApEHn=;{s?g(9S3?j_{bY%}7vyoqXYL^}%D;czJ9lTZ6KYab zxhAVVr=`qVufar84f|;RWF264)Odit0!vF+J8Bn+ z`58or>PqM@1D#M~d^x@FX|L0y>zy+#tHIzoH3uVx*sdB6O3RO@Q6%(p4Hb6R`G%mQ z{vqwJi94_RiZ@miyo^cZW@U-!(Ke4y#dhh+H%7f!uUiwp5_(jR*zaxqC4p55RF1j# z+RiT)qROfH`KO0NXQ4{m5ADY)7mS@bMD7umor7ITUlWEb<$qu*!RJTZaynCmpR!@T zBL;bncQpF|J%(1ja3TK3Ry1g^Mo%>(20tZhnJM;O#N#zw(Y0Oo*$`vX)KAij;C@Cg zj%o(-M8Svkl0T?WPE{Wz0wQ`5VPbD!g&Ji@M5=E+9QWX^^tZ@fs0XN4gh+dYxjyD+ z?n2QsJgG|!>-Bm(v<=q07(=D|YZhMWA9oa`A1$q&3NuBd9|QGyS=RgEn?!r5hiP3MckG*PGoi<2opI+X{n z#mL9#BGSaiSv3j(Vlv{*RpEKHcG2GZnJa439^Ao= zbgez)-@<#B9ER$9V%d*R<yI2zj>p#%DSR<9{N99rBSm;e;*h5p^B8a=~5Rg${4L?8ziN!)+x{0_^~OK zt9lfv=UA6Y)gs5zER`M_Q6APwOCo-f4lZGVp7%qY&^etXB=kfc5nvo!JoNIWt_55l8de?Ju~8e!{xi9_JG1Mb3po6?gGA zJv|kGQw6e!vj<&9kChrX3ynSD_U1j)^l&#<_SyfeVdrOi*i1l_b|qwCzV+6t_tuaY zcBf`MeTrXTqz`My^eq}< z_rnXBx35mD&>&!i;~d^E zdvUJA$0Ov?;AhgcE@$CUD_Uqikp@pv>#4%>n|ArX!%Zhz;jgBrA*OFtIh%YN7IWq0 z+ksUz<(Y0dS=y$`5M@&wzJ7srBD{(zTVTCsm=dFBgj3ZOH~-dhuQYHv-({S{GB?5C*^qB!3^Og6j|l%tEkHBTwZw) zCS`ubxEjZ=hW6n1p1_^gHEZuhqtta4Y?U7T%H|o4?w6_^u4D9KdmKgEFrW0V&cbW0 z=(ipiRUqy2Y%gyG-(dya?%fZq$OAgRP>w3|5`S+;4`nEtY#W?$nYWMHRsZ^UqB3hG zuk`GGZSQF55Dm&HLI&5KyD7D^be=2B zhbh0)JP4?U6g!NIv!K&}j=+sspD#T(?hUgs&C3hJMU*ZS7RFXOrXtI+0$nxw-+# zmdFFNDiBRZZ#RkNJv@Rc)vMZq)b+Hb_Ql*<;h{V#5vFL*hRAB`!CNQ&d0d^G1qzt` zf+w48@$_*toSO)K+NxNI`{l|0ntr;B|Mci7L~ca(Ey0F0|F;CjuR)}Pr9b!YYptMi z*|K`BQz6T?Vqhcmh9S@5;&M^*-BdnX{(KyPmTQS8D7X)(x6~m@OmB;UO@xEgWaP~MV!SeC+M8k`|9LUX@p0c18VrQzOj>5ya80Mp8 zQ!3N71b#czv7xuFe#&`qF@{YB6{Yv`Pp*FaZF<)94y>+442p+O+mc#mZg|csNg(n2 zep0HwN0;tY2;t_YK6&Rd9Xj85^KMN~O_0zMfUn~bcz-@yV6NtZlj09V75J?+7vn0N z@40%3A&{Elyi-VCHx}yK>c;cg)1K2I1y7C`1eiB=U{z4UB2oRh%f0GWUSs0S`bJ9PVg%{3wU^R@w5Y z4zZvIp`achHk6@UH1=&^C;6mb$gis7&_X4$r@}$`KRQ&E-ccUfm!&nOvnwEPc;B=hhpt}b)lSoW*>y1lSur4z;BL`_0B5&1==OeE+GmA21;;Ort4TL#lu@{>b*E)( z;b=D^XhRoN0C~MFk9%s};EOhbnurK~pXl_>x{H9Nvd^}h{N^&SGoR5<9N~flK--$X zdW%xtcVa{}NfPungi9%fPNbY_bPmx0AFIVN7Nfs_f8W$<)8;0>XRD`K1bEmy|6x&& z;hCCafFb#%%QNOaGrOv`MdjspERA7RDE9fgeBMIx7e#^)K1G4q)2Um_uQS)Yz;x}7 znEg)eGkju(WU{hS^C@+g*7kpLe@}5jlEz&=Y9WQjb7%=dg(at%qZfnc;Y@rgGO`(s zq|@PIJMpMH@Iz)FU5vu1|D7E^Y97Ny zAVY!wiiOpez&}xQ4C{2f=iR-#Y=8dhTWl~hGg9j3NpS7SB)6yT=8`$w@Uu z=uR>RnPb{sP!#1 zOdz_`)c2jN_;Dro_HK0f;|SZ}^C?W0C)N<#@LBh)fM>0ezDlOyr?}{Tw*aDh2Z#>b zN-}iVPz_xjkxr2tST$N7N<@KttbuDbuWhNgXK|g_LqJOr(KFvFi+6X|pJAXp6iJ_``Q*YJ|Xs79L3 zS#GGBh~;6H&iL9t-c%0+Dzw!OkiTtd%W7My98LASj$zeJT-C@bCnuZHQVC8kE1Qu{ z3CHOB!6+G;1Q(|q?ecGSCd@~9@%gyBjp16qjJN31xn;h^;4yh#EhH*|1hj2LR4RfE zfsT?PW5);a&5R#+m+phpbcr0@8WPHoaqcY z!3PWNRr!NZEw!>$@z_l*jU^pl>V6*iN39hIgu(C@!RQw~8%qzliZ$G+;MmzvW6M#> z*0>on$y^xyr!K?2i(|YZ8h>hZ=mR|MNp^*JuUE+7?<>4DnBOwO?3+mqGVuMSiADR1 zW%kc<8G|T{AH_srx};k_^75%oU6l@bUF)OnTpRCx^cj?!f5^#S#u8k0c&bK6J}teo z`krU@uFvr_Nm+#PAX#wj ze%fa3@~>iq@i@}Hcbo{o;Q+&Hj_pAK5121L0qravcpJ2Xxr60Y7 zqsebj>b;uzhAe}}A2>JNbt@Zx^w{ZAL?dlqb`~HgK0;@td^8vN@b;6IUpkNen$kL; z`;HMnX9<*=*ZRm=?6P|HZJU6>kd-k>rs=}~V zm$t{zgI-fUz@vrpKg%rm0vv7##DITYPy;w`3C;bB0K+{8 zSA4avYaqAX+=~UcEy%Bo#tC{1%{{K_E7gzdZ!o5j_?~t%?Dl@k$e*Qv73;8_J@`+G zkaxNxev&KEU=ZPj^am;T$zPk#R#fGvnD>s5TZzV=dmYp!Lvo*oJR zr${a0@8mVvGi9?jP1}lHCqLbu*zvN2?Uw>C$SFJH`Lnr|cr$I9)he2_c8q%;t!sNd zNNa*R(BV`aG&&d6?tbK#A&QR{e$B1@k7!U58~oUy&wr{gwXD z7SN$lT(;1tw@;;c^mNd0*l@m;AT%k`EO&1A^Np!JM&Rsfj?Ru+tvnh{c$(FLGx0C} z7E8X!UOtWNMatY=?A*d&5**|r3(M2U(|OwT$USU3Rn5`J_mzO5J^Q)4>j}r_l!l+& zKfFV{q|B|dOw9yhDjDid{n0jE(J^ixH!2k5TM10o%+)24X8DhhyVc-;GQK%DSwYQk z)~j>-3(0`4O6w90jTTWOmxM})BAxOhjWk1sxw{hErV=u%pJ?N_v2F9z2~J*ac8!&5 zrth|1c5k0do{Z*yHU_2!*-OmS5Xv<;7X2A7Ou(`jtBB0&@=B4K%fiJH54aw>ae5nb06IClSeASd}(sfJnxZn$a&&5sev<#F^%uE z=S%;HS<-xBwO1^7rqzsnZsh0G&6;NGKawklmV02A-?|OvhUM^7?9>4ru&(tqqHm#? zpIdSo$+?6#^S~#pqxqjZdBBFRL=*^=iaDv^I*b&r3jVJII|0>aPlhqWCLUz9ID}|A z=Gw8YpFyC`e@yN(&nqW5El;!-;aRg?xbcG~#$ZzNRx#+I4=8wSLlqIeZPh1$$n2?eDz25+dG)M^;FBmmeK z7bQW16HF1{v6j5-cKUfm5k{gRECrBsd0L_fItiszLHcLFX? zmpU;5VW8;w?cyG!=y4>w<>?4XP{f$F`O5%JGdO2N*p&z-8EM5jolmJr+x;>^;3)8# zH=KK*Ry@(0k@sAXKqGpjQ}!M$JMj-c%JZfH6i0lGb7>xEM;D`5XS`Ju_tui@A0fnZ=_HPWHS564wJjdRY{>P){ zg5`1R-R#U0$-btPpH94<7^y9*aNE|*8Mh732wz4WOe22m=U;5EYJL>MK@O5doG%{3 zid0)#Wzt!7vj_M++k}Ltodzyfke^u56kuo?*wi$5sZpqy>3%Bt;3>&}umo%z|KjkO})r^G0T7bN5J-)_)YbfMm3gy+O_# znu*4i@xPShN0qp8f zfPY~#?&hGRw?@ZG3=zaDbvQ^9sLJcl{w7>u9eM(2B856e5yp^~K>ny6Trl3=!@lB) z4eM4vhw%zfn@~O!TpEv8dK9g$*}1%dnnLli^WvuXWJ!kcC-nlE?s?Y3W9mRgb05O? zIE%gKMZ1#jG<|bMspGT-Noo!m;?e2-^;Vt2e|#6&4{K)8Z8)9$eR*x@%B4>} z<7DIGp)xJPoTb}GYE6aV>1uyDHfJlFiia7$Xrv$YekRdLO10B@?ng@PvWr_fRk`q5 z2Xdah!b`f+Z+RcV<51r!&xjThM#sxn@TL+2>_Fku)T3gV8Q1n-!5NP7z-qhUYiw&a8Y!?3qWQ@~8xG zdsI&3OFiWj=xUO*$`TG+Zmj`;qkJOHjy+63$CdSR*L&wo?m;L^BL4%+OO`E|Tzz+= z@!-e1B0g~!ezuvM#0!_FD9LBF))kR?ZYG-ce z_4_{Y_u=8&$pS@P_#2Z-p`3`G34urkCWo0ez@kG--!c@=F>QQgq{5M`i&yYjKMOPb zD?Two$xM4fe8m?%xfDf83vy!(|qTO==bjJ`tCrfV4Xo>8O{1Axj% zifPp9kNve21Cr`%`XBMdBfC~9@(WB3PZ?eY;rlgSD{N_an>hcj+0jVe5&H_lyDmB@ zfwCjDQit$=axQ2UWbM&?WUNh5=WY>}7SXG(_6EcCIe9y>4TZoAIhFXpm3#Y@;`-DX z1XfVfhNJep0GFI(Q~C`}bO|$*j6jlKRs4C|Wuc1Q=^m0hnxjp}6eh+fw^^4Fx@qnD z&=3;|AmI(rgSP*AUYOB4?e;=o*F3-Y*QUGJkzyWbt4PoL!`6${C(!Wb))Z&Xu*57l z+2B5$Jb*`q91h?ZMWT7JfjDo|u^qm(ZCpE)Ud%ZDtmTedSY_-Bg?=YnJ01{xvINqRQ*Qe`9MWrhP&38cUDuzO-Ppzhm8u zyMbTe%!!$z62pE;UQP@&hVf!RG}eB8Tgs?4i(tq*G91)roLTAif&1f$!sQ!IS;-Tu zbcWeHw79U3&=7uDcJY4j;TUY}u3hhzOBSYGqq&esI$P0^^pK#m+ZitdiTVgQpH^$o z0h2^Lr(*rR1EM6(W4_N`SKLMG@r=Q4g3^Px_GkT?7_I|{FNSYd76S^*6#eVNW zEpq103&u)!2Zky9MZb9qx#$QFgmuPu{W;#C#7$g1Q+~^!44mk|p$r4SksXBW(?I-XPzRKvADZ+n=)Y1M(W_H9bA#Rys7T$SyB1s5RYv z+EFu9nTLhrD+*O7LV@KeZ(+iD1gJVhU<*}+w>7;)+y1i+%AYEgAs028|G>vfYnV;r z;JarPmwp%-*D?Pq$>aAD0(zknP8G3y%Y;;)m%N|-80?4mFMjJ8=3;s;GBA<2(C6|i ziAMGJpIxztVmU8ux*5Oy2Gz{TZkJpomPI!L5XYBETQ=Unr$KLTq6Gv(unOdU-u&R( zY~aMNO6-m*V4T5&u*Me(*UZK;|WknPs%%)m*i%55Gm->W-!bbH8%%j31D*pUu?FSB(~ zJIX5`LH9EHJn07?P($u^@E8jmM`cRZ@y;!vgQa25GxG$=p11CA)!IzAxu|;zL+qzf zu*bZD{X_^*%=%p}bd}S3d7;tY)(wztEINKMvyeAu7E>ccTP*cX5nUJ(zE8$NJpmpz zR?c2qBKs8Tw(=O;n|DmN+1w`L2jS^kfsTZpk4zmQy3+UtmQXHPwc)=MrV%w`r;JIj z^_oYi?{9CDC0$hSd2d_^gx_w06LW}N5~0rh5QC{yMYwUrxV-iEkT5?mlkeek>ke2? zIWW4AU=Z%ti4O;^KDE1sKRfM67M-6dNpctsfbOD($hUFz6K{mCT;UT=H97L8pDe(a zu%3lYs?s8?KKXkZ7tIr5X;{Pu_oKBIy!ejKF~-rV13=zDoT9)IsB(-2Td(T=H1C_9 z`JWi7>hRT3UUd8ZUm*|cI6Fk*d}ks=APx4^t*iROHUBhYVyEn`(#8btL@SW<8nblkf+U-~@D#H#+ zs4Cp_EdqW|0C%cN*ypId=9Y|OLfRR}wtPYJTGp!be}SL#;Ip)R;8xotMb$6qiP*cW zzWv+^#!&vJT0Gp4+s8ZhtmxjSz9a8C?VUZR<3n-#2W3kcs%33iik-9pymatLi+Mw7 z3Kws*?U=jfYE2~G2b5i z7=%yK%~%1}AJfi^O7jj74Oaftg8B`}zY$TKe?}>QY7T+f@*Q;GA&@{MJQlt6ruF!9 zHU}yc6`K7MKK3tF7&aosc9y6@ID;@H;^ct%BFy_ueZ97>=nhiOde364Yy7dCB;TI+ z3Dp>BrSE1G*l$wQC*SfU<8(A7cSJOMuzdPaCcCX?H$|Im?w_rEmDsty@Mb2g;)WkdG=81V=ho!HJfO!R60I zXG-)EC>CY`3bg9qal5)MnYA^mhh3fzRfpk!GU~>J@W$Ao4qN>586^fLl!PVJD)Kp3 z7jsC-x4lN!i$^fnAS?OJu}vh%{C>EVapnuszB6B&tE;btpOXd5aJ=(mp!;dXSVtB! zW`Ms+J?C)xX)MR20yt$y$+}Bh)L)n44YNM0&>oAeP72yvB@VFoNo=g6UNLPj^i%P! zNnJ-L2&nYTpjKK~qgYt!>Kc-l5>Ld`C&i92N5~GFh-C{LR;UGX;s9S(E*OSLGogTi z$7?PZ?A~U;W3xUGKtRzY#EL!vjyAHQ)P~K5@)Z0C(h!d(`x4JtaP@#Prp0w(s-G7L ze);*%@%Jn!hJE3jIm0O9qnV4%^Pz}u(SNxyr3lk0a2ltQ(&{vbu(mNahnPnL1`B=B zpls#ul>y`*PrDn?jhmdFM*B~`4Sesq2*bC21$ao`@B~1kpv3AS0`8(oba>^7%=tW_ z*wF}<4YEvJ1NtY4uIJdti?@rcSa3mYLF36$hkC2OU-1vto?$9{(KQbeW7OWxD0MX0 z^-;UOzDM!Lwkjs;be0FX`Xr89r>xgBMu8okIn)H{CR=>OHm;U$Jfu|@isd0fi%aBQ z6nk&Gz(>2w+>ZVxlIh?Tqhmc8^$E^C^0hzmEZ<#-T_$+Xh}DnQF0*a~e>2l%_kDK% zQxWqExRE(4O|VPEn1b4!wa97eAsh60jgEf0{{>1wwZDGKoOwRmr0j6c5oZSkn4WCf*Dz55t)EU%X{%8w2ufDa{{_rjBRmz9# zKH6_S7=v2ux30JuIK_Y6>R?F8cZonxs9+;T^JCvpzY#^BUnM7J+*3S{$gS0yWMMta zM`Jzv{3KGYEkrj#GdT|%ILdLKhyH`+6Bl7U_1sdpC|rc9tnL zNhs_Ho!_9MZ4I%j%CLH!6Y>tFT7eBhL&!5dlhF6H52$b>2im;<{yFOhvX@|;{Q2JX zY1T<>jfaWDP?Rio_-9u9*PmCUX8*{K%R?`X;VjW6HI&x*=*Ys?Kj*`)uioUKi>4dO zwcBtPp)Cxo=O5mClCc>utT<{2s13TQ4#3oWH_@x$Pp>M^Xw}bqxZ{!~Cs|!$3P#D&8L;KLZ8mbL7Nu{<+#5)1B#bF zqoSYL{OxKs{cy#dPBdC8eftag`XkFs)DfkBLO&fez{C@qbOrXxQts&EkJkg?*w3vX ziha>gRdwfL{MwGXui=2Q+^k1Le@M>JZ+ z7g>X5@Q<#bpZvAG>ZcEzr_YTZWJi1vy}d`#&$G~OD8 zG}qBn6=Pf^N0iw5Z?JaNQwcp2?h2`At&|TP@PD%hdA)jX3{omgtml6ixPQi`@DZ%% ztGF|Q@%8MV3FKz2kOzgOt4WuYJ7t|QwB3lcZMuF06J)2JIy!_SI)9-mum&I6*`n=o z{Jj`2J$-(i1;{O!F9*^yma72M>d(c{VX#L9r zzoo_6mQ(!wlV3Mb3D2!6S5j?A3|}&5)|@3hnFbq2kh4DWqxSu?f(-ZUvhm#EDY(y; zpK@SVKM{}^e{`N&$7!;R5i3Gg)`aMrmAk21t$Ge_>l+e!NDj1w=rg)zTgyH~!#-&DJc*yJ*hX6Z47L zH}yG3_l?4>TZgTex8a)EX%Th;byof}Mg&x59Ns?;zqaW-et57+5?PDuhlU&SHq|y# z1O3Ar2zN?k!W3=U9!Y3~+UE@X@(OC$&k8Tov)B!Eb=JIDcHiC`E9-+;BpR!x0s3#g zTg*Xs6tI;fDbbt_>(E7I+^(HN+ts{LZ$i)ANIkP6zs$g2w-&?X%||o7p0}X~dNs|Q z_gLTEbVMw2A)F|Q&D%S*ocFP?lh*s(iHb@VX0R9~4{ft~fOr@>+~YEON9dWzTDb`8 zSuy^{uGUh}=`%vNS#l@cyI?)rF|a*=^?Vd<$Hs1a-=2Z>^Pm4lq_z1$O`NiMORk0n z**aT%j?v^%gGwS=H?Z|5|C8 z`(>zhhe)zM)gS45XaZHNJ0lB|bgAO+GY+9QFTf>ID{96ee>=zUk%oSc4uqm9 zt-@~}PA;-h3r77xCmQvFCT~$USb*|wo%Vbv-Sk~i8_-QdJz+v|ad3rQ>nkw)&~lmx_LD6Ne4O#V-Q#E`#b*RG5M0VZQ}^Nl*XOhY?B)yu)(zn8Ch`P+~`r zeu%JZV48~!^9|?%lMFP#zRW?;3_+j1Cj1C43u5}uVu{`eYe$=UumxSDN`E!thrYav z$@;LLa`ftn%!3j?weCnepksAhq*Vo-A3Sz`=HYuzrLDgM>4dkvlKwt?yB6-6H-zNp z`AvrQp7uP()=>Ti13ltS5d8pabJ*(E&L49h^aY#epWa??i=THX?PI2WbFrOo3L;lZ z%3XN>@x=_T%s>7Xpmfov1*qNjG6k`jKJPz7tl+BOch?8`YrZW(c2`^~5rR`4GE?k5 zZ*OS9KhRlr%hhfawsyovoc46zYYCvc{=wr#ilDIS&Z%~z4mN?s{}A(8oz6_b{_Vb} zM>UA?=5!N~UiD9N=y84o1NvXU4))OV{jmvn&S`y%&8zqWlmBT99M4tS@8(ak7M-R_ ze>Y-17Hyf|v7S*{C2;yJuQ7hUD#Rx)ZouR-TUrJqC&6GUQKqMumaY=t=u*X*!xHNS!S4Nuu8KwBvx+Jz8MHs*$A7+RW zZZ}H?pJQ!D_Sm2#&NF!UER%>UWAcdS^6-aeQ=wx2X_(Sd0x_ZmgYKYm`%=@;{1(Pp zs1B>wXlQ8u4KzK!^)IqDX=rF@XlQ6?XlQ8u?Qlh_+TuoS);KCp1^}Z;yT2@R6+`qd z8nUCIX%MR21-K2c>G=mvS2lF295HD9Ikt3@Y?WAQ!I1C~X*YR#m)a+Br#SrfJS~kt zVbp)lo2C*AfAH7O3WPbRIPne2th|P~cTrrao)zx|jiQP|Msm+rgwS^CsCpdGQ;-@y zvSHC1G!;-S&1+T{x^DjMP)TNMDlp{V3AbxYXg{$7?&>BGVT`QS=G8rG8&grD4OB z!Q?jb9MrHi$K{xd{7gICM1GP0JcB0ud`dh6QOi#;SkF8|T_sgXP&4I#qyjMX`SFzM zMye_b^gplvgQV3G0zg3zWY><)CDxvpz8jhj#i(vwGzOBcz#l^-$3*R z{$V@)Yr_dN!vpuFqgV5H<)MV(z}}Ja6XoC01@r9N|78D+9}kk}vk=PqM+Q{Rzy0y~ zUEXqN=TY$E?L|$P{`$J_%U&ZlCMdFL$-h7Ng>VJ%ZBH z9Q2UTQHUZ;aF34horisC%R5o`4}FYM0_!Ky;eG)dSUVrJhdu5C&qqC<$^@m|K`}3% z`_`Put$whM6Klf7i7CT2>yOPNIt;PFyZ7{B%FVGA2dQZ@q(mo-(BCps)OfO?+WxO! z507fMh)AB-b!GiN4cEYkACCUlz|?8>hm4L9g`fCqocSSG{96{^sum&FIf+nX7Ut1? z7%)4iBzrrvZ1jbC5_O{Ds0@R_XxR)Hk9HF|Ovw}cyMGP(St#$iFZz~w;RSlZ6L)YJ zJvjs|f_C4~yNkZaM@io2T2y;uz;ZuoO|U~@mCwr^+DMwML$BN z^%L{#{L!~1+$b~-+)!R_7W&YRvGu3R`ETeYf9<|tVeCL@Q^;YsiEj!&e(`7m(kDM6 z^rlPG{3HWtmYLO5B`C)m1*>f@-q5=c{rv8=H0!M~NVpN{0)8Le3qe8GafA8yAb%h< zq-6DegDF0UZVnvi_R>=dhNXP=l~9gjybuf8SrfX*+%BdRXbaBXR*|z z7gihh6IQ1AmSdy%!JzUB&n(AHafh9U2Vp52tv^3kR(2Y$Cf!D{)kk!&n3B5KExr`c}rg0rcWSWE6NtX@h zEF~{I+H$%*j11hjKV~+2$%}R8M{w8stvgRH%Fw%6;Id6_c%Jv!fZ!%z_2Ssh@C`(D zymV%G_V2JPP!wFrz~x*hQzYLtQ-+CyGqmRT>|=F8o;gQf4Ij&{8CObpD^s@enQ zH<4X@-{VyKDizJqsF0*V0O)4FHwS~vcg>;AySx^lz1lS}8=VBRuMs+6@GhejnC|up z{fIWetU`}zkI@_~+}xGW6WnUqZm|cLQ=xtPF7P`mSf_4zeJnTePqw~~z z2!J^#Y4d*1?=hAj(q;M15VV({#G%LMDB0eH_nMAG&TLUa&kuk$B^lVKcIp||- z;9RYb_o0|Z4ZOA8vYp5{r?YVDa1n_S*o*Ac7Yuv0*@mlc$E{oV-KCbT3V_mBRZyS5 zccwBxUrPXkQPSeQo6lJ)Fbi4SWYzA0_+OHnv2(I4ZwPL3Oonk~`!!!Pi3?3v z?{4V+1y!-am#q-G3e=Nu9b*{0UP-KZc)kl@Q<%;}?2xggo?k1mxXt2w0Ze{B5sXr2 zu^yZQn2|ylYbpuru#CjL_XDhtlG`4k1nQb5@l)`R<<4tgxQ79}d#3@O?g1E`ZVoFV ze%t^41-VN}`&K=Dyb&CcxzO|o*^K!^9aMyl@U$sSiy&ryb8{65`8 zFY(*$9ih0sj>=8XPu`~h%Tf659oyITVb4Z)*n|}humhcgW9a$TU0YXn#RvNsumYXp zZ6I>w35q$$8UGe9(MGYOUvhk2qh0t7Hv@F}7$c<~kFrtHP>|s3c^1G0v>Mi@P=b+-()%ZoSF6h#{<=;h}=S;1EJ?8Z{Iaj4n3F%D~UWWN!tVagIs$s3mTTHkcZ9Hxr4_^qf*CQ_nOwkNk0k9}k!6-I3 zVmHsi!~R&(8Y7;0A;?Gye1^OM{|2TulqQ%*e@=qJkOL9GQ&@Im3-f`m67O~hT-{;Ef5@(L> zp*#No(*?_2CTN|Q)8U5y4=Z!ar$ zh)F$PfMq4==6CY-{Ez5LbYDhb!wGYU-5|s~(aO$05?e?e#3uG;bej#f#o-F$KV6PyYhQrv?WXTYJrh|{ z2|c&T%F)BM$mz?CxYzX??bm+%_D&~I_T4WfdE8H8U#NyiYh|NEtmpG?Fr;XoiiC>) zPD#lN&xt{Q)^#s7+_UE$3DIM=dc6sroMOQE)Fv{iK1R}l8|s%mo$rmCk82LfB5M*2 zC#H1Z80l*VEhF`8ka1UAigo*@g2<*s0mdKju}BYgyb<=HEii2EM-2hiuqR>Nnx&ka zFk^CeF0{M&Y7qlE*~iZyD_w^~>=DcgQU@vTHZHAr$T?9`yLMJu)_aA zu!E|$b8-A_W5#CRn*pl@G*hmhU)Tkj_u(Aev9>`;#$ZyIW7-d8 zY&uIMz1@Qn{oSt(W2pO}XS??KErkWhi36*MbZ`5x+ia5b(`nmbpV6=v9bv*6bb&n# z6+fRNs7kZ|CCyuM554U)5GA!95QBYIo5JGV8`DsP@;u~waPy4TARdlJ!xJK}nmt;k z7n65>*YZI^Nz@{~YMiRvxF6ZA`V_}&14v1;jv`k>rRi-n-xtr;IfpWuDTkpR_`*Zz zC^UOhJX(PZQ-6L(cJ&-ikeCql#LVY`^UTybE(xXu*=>4+1OAsg`{B5Wyau!JdM z$vXIv1K1WBW3Zk>G(pO5HOGU{Ejj)zDh@KiCpm%GNCz(aY=8o&D5*tk21REl(XMgW zYZ1L?2TTt_gB@Z$9`R>J8-md*!u7%|K)W;~4FXq+D*Eh&?#;Mu(q^+Q)&huasXb~8s$6B2BHuO~RHfS3CR10(i{R}w=GP8aEiJrq=UliaN zP@LNh%%@e&C(_{QceI&}i8$6r}WJy!<=@?tGaIaOul3?wOx& zQ{NSy6-ET8gcr()N8k3d#BZZ_k6g01fn_4fNGTf4xQBk^e)##`R5gLfWDTd#X^`|p z#h%SUI}ZJgscVrK`^dw!R+j^9{RW9V-FHP=^IKn>%GJS59pRpeHt%kU z9aG6>%J`@fvmO@s7nCu<4uO=3G6O`~bf_td+HaxQf5@=meTm2nwHaG& zbVp%VNP5`1!4f@&OaD{6P|ols`UiSXR)?-L^|9SML%&UDuR4PNQhX97-0#V_K|iblZ(Tl2r1wwDf-}}vw+qw$n408p6H}E19NbZgkPkD(33o$G3m-6# zppz9N7wSsuXGiB>PVU3pn6%z@$8;F>)^6d0p}gC%D=ri`!}#~O!D8=9ST%9?6uvdz zA~y%u#KCXuX59;H3JbHhZhe)lr<^W;j;0j#TNmda&R77GQuj<)zf!_1>CU|Ci#S^{ z*B{LfmNQ8rM(<{&?U=A`g%D#-_~9NUqci+(mhanDXAzbNfvMy+82ZV(r4(PRgQf|iaR2N=oN8p)!ye~+&a@|U82(kT#wVb+Uq2q^ z2YHsDd*^4-TlCzfgtWV0p_q<_fO)kTVjRtu90h1CAU+9z5;jQN&Zv%9=)Wr zG!z@PDn9oun~!R*8*{Y9%EA?(80FYeqSxzH#_enyJ~8&2C>om@33~Qh5HOmLTQt2L zKlrB%dFwd~2AAwj^XKW|bE4iUWh50z*BGRg$**5hfoP<-L=rq;a`+9Fv~o#As8%#F z6ow541-_bOxxi)uM{tAN1ma5ku2)={bg0A>iT7g2v4O*2aQW?ugt8DP7a9k}o`P`~ z+c^dYyNqB@xJ-;EnBDeuf6$9LF2McN#WBE`mhjXFCc3*nJ55LV|C1T122EoybW0*++AJ&GMMqk%^2nv4Hh&bP!|bYFub%um^T0Hz zI9*oD=r#2M)LktX)BL}{=&)xTe+~413dRP1S2v%Mt;u9{%K}Ijq>x*OF;BXJoLfoU z%Jej1n^Ka=zLg`9*An~oVOB<#tRF9dp;?*`==U(*b!$)M$!^X+=gL&c8Fc8%jv5Ak z#An%G8q5L3mDf-8WN=0wJA87R0Me!Kq#HJ?${RmjU<)H?D#6yQ%a3Co?XilAIr%Ta zd+9xB(D0H?-NrsBn_rm2PqN22=ECCiE78=HxYEo`h65|lMYOWwH+TzzE9)8l*+Lb5 z52NSL_Bw5>)TeUzv4tdJCsHpS^GdCDR#)U;{E=%nHN|g+?z?r4qY@B!;5dJ!dqWTz zeLKiwWkZ5`HPSv2OEm-wL%fkj&&v?wf!x3yr2od%#hAgmNWszk*6$HXWUg=tXb9^CWW+}xRAf6m}X}Y zurxMbHJ+HC>%M-T5g4^+0rXsJv(irqSbf&bR0rs!*J1TAE^AoA%f&>5!SAvxK?_9H zaosTJMeaT>-@P3hIG1h$==1j-o%LZffW*}leNYw`>q@pdQe8UXUrI@u-M$4ti{xnl zY9c*ydILk9p%W>P6$$gcehE%S4M{twnej#NdKSN0Ir^6?BaC5grc8;Q%ClPsZIddl zJ`$0^p3SOrHN+^eWCS%W!!T1ao@q^ZQU;SJ8R9#`8B;WQQ}a&`R+R4~222YB&^I)m z(F~yZjFBbnuXz92-C5B3VT>(NrS!VsMo_(r7|4yBX^9`~h%2pu1xvb>@+7NYUA@M@ zpd?;Gp?{0t{{+0}XT`;NAhOl(q(kd2QTZ-QCD-_#_IYLmw&^|&p`oU5jq! z1jMdjL(>}`FD|OWJo`ibu}eTZ{w&c9w|!5>S7?U`BGyMS`p0_BRtt!bJ+3bQ%U3fb z%x8ui53~rELsXxN3y?P?gAp_h2~&q5D-P<)`15MZ$|e^GB!x`{M3$1PpUctRUKo+C z(icmzl5ppagtiG4bCh(sDh)7fehsFA`sMCasiCkgKfdewY8@NK1U+>R9srguH=PzJ z-uNDKt?7UuV-S6?4(9v2L{5N-epjD5@a;1FTYe9t4ocd-`RF|i9}Z2xD&FiQW$NPn zFlH?n22KH3_dueR|J_#ye&46kTWzl}Y23FthC-~Id1IHE4u_goIk zNx#|(a#FB3z=*?bsRO#N7J_ZTdU@TjQ``ejK_YS)*abCUfH~#XU|m?;Np&bfO$@JxqYxbHHQH0h%W z+>yD*Ev3YDWv!bsl;pr7s+Xya25#k=a)8}LUUuil$*ozk%D7G{_Uf-gJd0~;LsVj| zK|P4jDBw)UJJ=q3u0{j9HZ;(X>73b5ZADHC&4dGL8kYkk_D5>TsIkrB=c#cgrJ3Ts zYB#J#t97NDM=q2$ez}i$3gbkixzeb2lO&J$8xd;JjNT54!8@3D+;x=~q<1t-o(Hhc zU()=?J!7TcHg1~xc%OY<)1L1z47ae>8*BVcoX_y}JUy7GZQUlsm*+aNtN*0`MUOFb^iIe+)1UkidM%62e|eDE~#WjmPRqXzP>Gb|&EqECpdza<9k+=BuG`-6$k1-Doa1L*4f z%nkcKxO;w5l=P?>dts9FP0n&Tl#mN!g8?QS~TnyV=H@0Pop0 z*!U7#PNQ?zkDnHHk7(yK!dK$2@5ve1k6}TY7RBgf)S7*o^dDTHhhFG=9BX^aS0X1VT z$TlYj=hT~uT|Z9hS?R2wArBY^&GD6N8K#y&-L%bnevE&=FwoBe7QN5_&XSiW52Y`G zSz(F*TYMEsJuk(k!kxs0Oxq}35OpQ;Ho){qtmm^V=n>apXbkDiVmOk{u*~srzhFi)xvK$Y(p$3HGoBxSQPG`YFs?5#N0mB^6`7mV zQ?eod?ZEV@@=cnL8JZ?c#kbe5 zbGP~M8W*&(K|X_h;qbk{z(7lr-Js9KiR_U zj{$w9cl!B0>Is^McX>UoTQ@|FhvDy4B={`MjZy)sXkKK3HR(BCo+$F+^AefZOA2N5ruRc7c3F97>ZsqqN z8dR`)-ENl~X(NwJA`|a&E}ou}(T6C3`281zld~|d4V-?2H5;{}X)@nA+v_X_O;X6b zjJ!ayF;RTANG*iQ645}6cfCSrv7#R$JTTZxB;p1aG(-8-*N)h(Oewmx|7aE(Itsny zdy#DyY>cuBrQ+p=T!kE?T@Dsg;0h_EiVw@}xP`^pIiHXkeaj!&Po|II*m|{;;0d z<8L>kSMN*tbwX_Gb8+sSm|2_Cqr_Cb zJZ#6Tw*>!xaIMN{4hM6V6M5Kv6ZV{i&09N$N)LE5Pu-xmx@yRIBb6Se+-q0iR5X7E zZD`@;&ZhISkFnrj!RqGgvO0=*J}_18V!_<+Ar8jx#vbX%mumY_#m=XIgL)@+k0r9Qqm`Eoixk(9_stT5P>uf4 zg-Ck(6noYU9S=MB3|EC)7vT{$ID2OF1dw{RL)2{-TuwTA?Bwz0(}KzA?a2uZ%kX>U zE@6}Qk8g!d$FK!P;X|;VT}9QSrr@qS5;xd{o-JbVe=;^%eM+D@$oQ;=vGLex#(Ex_ zh<_o2SX-?q-1A+$$CO+h?Zcl(Y8EpVxHoV^1XJV5S&MqZxbtc2peHZn<^5gyjgLGk zGGUVWu|Oq}Addlx+KE>Noc*y5w)rbyE7tdsRoj{5H_lj_Ilt${s8(u3K^CEgK3oPAy zoIEEm*VyCF5;(xfB|11_jc6zT$e^GZpz11!j63o~hPyTBncPE!8*?e%M)X7k6r+9& zS4%EvgMFvuFQcX9*EkKJJBDbHjvVQeavAQxIB)*3HqQBwGzg@(j@iV?Je%ryJq##i^2W(WujqFbqXS# z`DO`Y0gig(m)`fhG}^FUupA#;3Vwt;ik8=(d+(BlX}*HjZQ3D|iBolgEh8^4F9vKa{uGNEZndN}m<%p(*`Pwi zg@|BVR}B9gin_SK7Q=5QM$SL7#TX!p-=8IhjWUiV{$)h)8Q`jMKonoZ($vP+i{eYk z=kU~Pn8BzPmO-EH#K;1}s82U-Y@n%j>(h(}s`#U-HY5LQ{DG~ki0L!NS$mbP#)PG! z(6O(n1So1UfU743ie38RK7gUtqc?W(**Xmg0x6+?%*m1W<#-E z`%Nj`8P6`VfO{_5#>_rghxu#|3`kws#B8{NZv36r6E{PTyw%O>^R<^SD05q@Ws~F{ z1$Arl&`+X8D%RlzAD(2$tyba#(puvm)$<={ogF@SK5l#Vf(s)>9SbPyTw&WS4>2OSP#xt z&?e`Yq~vgYl~!W1xWM7>*2~qILE=#2Kce$b z^1$p~fX@vRFusHR=xw_t*9Ut&rvB&Yksi%q%5xvDwNw{bUzpGMgSic2XH>A)1htJ zNRaVA1F$YowEz1ldNT?SlI;THgg1}p?rNgFBe9829F3DXg?4cGMV&h`>dKK z-)2I?D$zkVNpr&NS0oKqmZ=5qhS@>Hyn|BbHbl=O+ld$v<67{8DC&(?C*mWsTbbj3 zmrE?$kyXOAt*IH8FvEbMBnu)6U}#R(K;vd0h5vu9xdF&1;bw+wZicVnsN#<%r+{Ch zOQ~^f+#0`}a)*Xz<{l$}{I;WUA1D|&D-xfF1oi>xgW-3bZ)#$j+COv$=s$~m;^@^0 zoY&$@Ci$s>zQ>!LT(By<32-G4T80h;>4*52TkI^&J(T2e(R(vlkr})0i-Dz2pnK4G z(D5f{`e^>M91kpsxh$p4`D`1iNb_glwzDO+AOcP|+fgmBd)RhjA4vf9;XP!V$$}}7 z8%%|0$qdI^GO(F%i+hHaAYm?#+hgo9YP4j7nAHeXbv?dgpi4x1>I@&<6#D?J8X7Y} z^LNv4Chqzw(*D@^hRx>EG$xx9N>?_~(D2*v@-S&N|C>0lo+{AL(EQtBkb~(o7={8l ztW*JV)P;tIMo2Ive(~@G1ZVU1U#v}ifp4Kp^PfZgaOFe?j7FOi`PUw z`yr;tx3VQf_2LHru;qCiF7CQ{{9TS^iA))Sh573+RJAZz)n6>qw%+?>)QsgW^%~!} zabZoJU+E`cumt{_RE;cKswJ+k9BH;*Qx@<{OmSW0Xb{n3dS+y0RkhFonR8(+75|nm zO9-@ZJMtvq{OE_#zUE;5$osi}Z;*L#+#&KsCosO_;}bLt7*l*)U%gq!lse?^;nffN zJ~`(4>d2VKac)h4y~5W$a3-V4!;=otUM6aHiqaksJHHDa&e_LH-5>V>*5tdccdc>L zGTX~xeVh%LoPOlww3-J49Uq_42i}s$kEROtx6)mI;=l?^>VQD3Ca2xz3O^-MWq9~W z>i(0cBLQRMUwtGlbWynezom=)Sj|6qWUY4U+K3&t8;47D-&Yh37wft6OzFa|Yn z*CLD8Hoyrv25`_D|M)Geu6T+`MlT205Qr;Ivz{k{q%C4wz=${lj_;$9W43P~F^#SgA}V0g zfeqT-@%JSv&jJ+*vCiZ|aH%fs`P0Kp<6!4@N~+;w)w+^NP_=rM(5-L0C&f#L&2U_07hqg{Z43u#zAk7DPVP8wnzHc;N48_Qcu6fy@9iL^<&3=7w}hM z>A=q>P)`^;4&o1ga5XeN_dMW)CRkli1J;o_F!9jwU~;)#?<4bFBezMx{5^JIePF8F z^Jk-gv1~2z#-1M27@%?dx$kl_=i<0)RhumW#?b*lBW{{X_)dTxL{(^)X`>P~PUO+U zHWt%9_F5K7_BHF=$cu$ZrRJi{W1}1o@&tL2j2_WblsrxZ*!q##I_gi`1S^p6+m5Xj z54Ohfhv#0o@T9_VPqHFFN@3sQbCChE;yxbRUYy{`g}*$0;mRSE{&6iqJ7NLA2}ii~ z>h$@G=UbRWj|AA}!Bq>d`x>v`gL4H7Sjz1fv^{Y8ab_Ed$R*emPUs`$eWvF*Z)MiA zggX!2gFCBSPCVYQ)%?FOJC0bcYabvE^F3XChV%A)&GsAtogTXT?UrI}J^v`o)W~ta zTf(kUkK!IRf&LG5Ve|RZ!NFqzTHf;TIZ3+Aq6a^}^&2el^7^ePmlgoyJw2W;Ed7aV zfq4vFo~)zu>{z?0u>+YN-!@r4jL;Bs_OKojeihcoSa-96>F=7T+P$998Wz4;+~Z7= z1vBKs!9n`L=Kv1HG%R9#X_hG%zMiJ=#I5hhu#3ELDMr8zI0mcHy&2@v!g1)~pk;aU z;n2?;Q#EW~uk3LmqZ8bA0!`lo?PkaI5;+?@eBy4s=~?SKH6#O4ow7cX<91HY*UiZNWae)kX;zW&dce9>{O%3@~Uh zm@F9kU=yKT?FIdIxvrN5vxVcIEd;H7_iv75K)V%6z?pgd##DTTjlJ^{we3BbMeG>-J-KsLqiQln8v^IDJ%H@XjhX=`+mDa$AQp)`fhMo4Ri8Lr zw=)BApKEQ~Tj+@aXXtY`!G^ugjwkxk#mP#2qQ*2?7HQtp>!ziup5NZ4y`$#AjpEH6 zBrTD9_ZgoeCiG0+54PzhaOLaz4p*Y(Wgnku-r?mAvL$Zz>`n(2`PhV!ouke|`=~|6 z6XN-~R%(ZNJREzUQ_^j;T120PC$~kQ?c09cQriQJPSRVM))8M~n`i=4BGf@OWDkH! z+z#-+jcdn-XnCm@8~HC%U$kDWf`yTy!!kSIRw$=+{|E!%y6%Bh$yB2`KD86T4JX(e zsRCT@v$*B*J1%UN~bazi%f*y%}KE?~NU7!AxjPRyA}`v?vH;nC;qEQYkhv6CF~z#1FGli z-XI={4V?2%Ffz&*u0CW!k7U!XZ|0k|x&M;CzUT(_XEX>eX0MOL+SuN$`=;$D&({v~ zG_i;Oiu^l{_xu(zov~syBPLD>!QXPrBpbyu2^X7UJvW1S(S~43tX1aTIR{>Z$<`vZ zf7fKJ!-l{<>%wt74a>u@Gu%G4SKn}bU^(xF4Ib30sY!ua09&5HfqQKHv9OBZ@*SzO zw_sDwJ;ysfQ@Xt(6Zlvr5=%xKfotz48t=?7R*S_-(uuih-2A4eyl&J)*c#nULC;Kd zK+Yn=QKQ%kGy1DlGKd9&l*dJeZu}U9kS+LM&KV;cH&tOU)3Uv25$n4=_0_qQO%e(m`1C|AOc-brH5t-1I zToQr#iLUj@sa888hf+Kry*kd+_3*ZP^12Ijjq|8+_m47RZocc?haQW?uHh~Ttl}*|J^=rCXP&~yXk)Oy z0?;MFY~cH6*az6mH#8mp!FrCg#V_Qmu=nlV2alhOCePOn)6N|??#m;MRW)RpqOM1< z@0>bhL^Kvy=Ok><_40I)7)$C|7mSjynR??O&d`V*AW3W zafLFmiG^<8&QieD#uY~aKOb6JmZX3XEUdO>T{n!Az_oetT(fStHn&xi!Ma6cJnWg+0ThF9 zmw@dRqJOr(4$vdPtoQ4-M8-uv_w5KhPsa_mujF=b{Do8JYln5-3+uV->)C8>Q#H<` z)V^|C(~Wi0cS&kExXHEAgXM|x<6bw1@$Y(z^R5Rq6`hgZ8-mHsf8_g&22YSFKF)e7 z5AEMTVcx!%BLCeWxsldwC!-*g$IlaajiLHvxYJ*IzZR7acqu> zidOVxW$m#F&6DSs?yezJ91k0hHpfkx898d9Gi(5EcC=%#>B#M2J4gfD+8xHV!@r^a zFfv=Yz%fafe#s6xW%k43dAVE;HyyAE>p6}xl3K+MA+o2o=@Wx{h-*&xgDi*=osei? z{(AM$;r)y>Bgl?f!bj-gF4Gc^EZ7$^MkwDw16liaxPITjgF>7Qne%>p$0ZSo6-~7Uif6`|jWl&){k3y|C>fjEj!ITpe})zFSwu@EG6cH|0dmyt&@+Pf`b- zUZM(Rv^f8!EmagcY`eH9D^L!y6JZR`>?RU@grOJU3B8l3tf3~!XT+Iyfii>Qn*l6) z(*~qnZo-sT0jm&H??y^-xGw;<=q(R|P}=>>#bukI za>rCf@9-dBzcVJ-5ZW5%{Opnz^p6i734>mExp?-1)3~pOPJR|3=Q0!E;58WNZ2+gR zZQaqYBXslhep<4LXYZKsq2jLCi&^tnoV6&_-QCfQ|3K{+wIY6AhS}5^?Zic04z-!q zmN+(@Is$h>$|L4=;ec{GG2H1)?al<{VN=^MfoVoI7UC}U4gbwX31?X<~^!@lLXXrnkdZ%cXnRsxY5Ay^T1o!&67&k102LxNxEp zDzSFnFG?8cHd7eBa@F)L^pgS@pM39P)D8};O}~0K&Kde*?~tTf_-hBpo z(fI!hqu<9MlcwrO{YrLz-&v+a1Kx3H>iO-FwoHahhRtogIM0m5(ha|CV(cfBM*SM z0l8vcn@m_D+Ju<%6>CB+|7!&Fqf0`as_{3t&Qw^#-qh9T6SaX~jVu&{*})5*5&o zvc*lw>Qjs4VM=EJ_QXyiLl2*sDGj1S&Boi!6yYv@8?uuK1R4_c=1?2xy65yvDUcs* zxn-Mx!#{sTb9Mu_m!Y8%CR`_UaMaUKP4TQZJBO;-zZf|_@&*`3UK_e|7VPuvKO}II z)Rm{!)68Y=IrN^|z+?(FAoKXO=SgFYdyh8y*h_0*J?lQWx8eCYS%;@AXpuCe^@Ah3 z5_f=vZ^Dgp=_`0EGDD9Lak67$vQD=eoOu0k!g;P%aFWwOGH;YHv3S-KwC0l$!!$I1 zADjnw#h~rGk(`wM0M>7;u}_*}uqYne*%D0>m&%I$6RGRqDh(j}?2a%8o+R9&jJVA8 zLCv|=uLsIT+QPP%O}Ks2tOlmFhSiaZk}6E@_LoxJP!Cnsi7;_7mu+O&EAzMuTRz|) zaTxj5N-gDq61U;OW76_Ocok8< zqyiBU$>cvrOa>n?SRg`7=8DQwv63`2je>~N4gig?g%T0t0T#q!7uhJL?>;9&yH=Ur zw;g=#rCU9VTrUmXo`)?bx84;BlFzo|Tl@60r?2IXmyMVJw^MNO?Qn&-mEe2=yVP^H zc>2lmUakOG949a0N?eUO?gpLHyWr*^aHT<{0J1BH*xr4zlnr{voE!%+L2A9r(|PPZ zyJfLAG5{to+Uwm`cDqhyNdPkwH38Zrw%z4TbT!@HjL|gG!WtHvopgW+ z(hJkJ@}DCFB%f`=J)uM3f&~l4DQQKGhX?)(7R(=~%&@y-7HJLLgD%Xw>MP3&SOc&; zPG0;OZiEOFJc#@~rG7JK~j{CrjO zmxqU4^lp@7S~N5y9LM;s;%hQZB@(6qw0gZ=OySZ?-q^emqL$qhpP!ThWi9d6;&9tT z$&3e2ov0@X9!XC^p@;oR^He`-BAoChY*{7@h;)7=4QE0CRtLz52CT(;j#UtGKTKRl z=$WCFumzhE8QruZ1kgX*z8`{bCnvX4(s_PREnzm1Kxavi8mPZq3@2l7V`mZH2P`8@ z0Z#dgDiUds0BmxI(RiCQ+^mSp_?!cf3E#?n^h5;Uh@X*S*Q|NOMKm;x0_S#$vun}{ zmU0B{-k1yG9yteCgUq=^*U&}KH~7gF&p9%ep4G+(r+L7B^HMr2Mu;;!Ys>lf!pNUdoLV0Pfzh1rq- z0}trnj&I@3En{X#u$Ni`bYCL{`bTb&S?`C>XM*UY%U2i5g5v7(dGPBCqt8=crRDLx z%*~rfbWZC@oLU;80?L7lz>Y{7L+IH$9)CPZpKbdbsl^DL9mAVVPa+n|sUfJ$&QI?tDnE>Lbcved8hxR$Wm9NR?4~I{2%FW$tEWo?`}sNkbL1y%nWKpt#zC8A;Kz&>tslY$ zPA}56mYcX~rB$OO$D^U4X$V$ngQyY>4b8uuRZha$OMr%krty)bI4X$c_SPL^S!(ruhPew@)nQ`5GOD6pF=S&xHow#A(?qwUmQ z;_5fEW)NGj2o|>O!!5t0UZtU-sTQT@I{_@>`iSm~dKz(G15P*}*m7h>H7 z`=FP@v)9LXV)xuaAL_Mz>Gv#tCTPE$2QsIg-ws~{oF&m7L5qjHDhS#x@aTG$J!6W-)&_kn-Li-O8jO@KZF!FWKg6T|sWqoMgf zM#5!}X-qrD)8n|jI85ibD}X_KZ*Zg13Nf#o2at3-0KO{$MyDD9$b`<)j+hHiLiQa! zzD{F@C%G@;suzT_Em&;)-{0)sIpp5nh-&J_OBXlVYQS>%7^9tW=YNdjDSlHTWo`@qy*47WY}N15lHrNAI{0lZj; z9opB!06M00*Tns^g9DkDZz&;haaa{eCJh%T%;f>fOs9L&&?RkxjQ0ye5n{kiH+el+ zBwOpnZ53tDeA~u2u_wUgyD;SEQVH5Pr=fu+;b+!`+1)=0G+TUz?kLg>bhSN`n!d@jR2Vw zQM&~`zP&0)UN4UDil3fP@?OtB2mO;fI_`m?X=Yf@@q9ho-GUpM)1OP*tp95T52j3W^&BC|RrevNZu_lBE%{36b1HCF( zi5F-G&@63|obN{Jq@wflmzL1x&1`@%neEilCxd#x4Hz9o=Psb3!E|_6(?AmI8Zq!) zk#5ft%&DSKSr?%W)3VNN2z(^17)GTD23UY@iGj$TH+y!*?G@oVM(w?odkrS0n^F(c z(EMLxwv?Z|r)n4j2LGbx&U?EyO0;&*Wm3QzanXLgI!G?*OPz!^?};?LV)L$Do{3Ec z-Tk*FjT#5$Yw3+}XlO9MpUbb|+5hSWKjk2YH1ruIZ_1dKid|=nC_mdD6W0$vS=u0ctvug55QBEX=`mhIEp103F{_M*vtQn|Fw91#tB~J~Jj>ZCtc^>m0{}$4^XBBa##Xa31d`?r3Oe{%Q=P zR{+dPH|U&T0kAVd8sI=EYhtvze#&(GD1+y55vy5@?Q)oZISmcXUyNR8_MBl+XF2_{ zEdeZ2E_a)rv=k;q>#)uQ+E|Pk1Pk6T?RC%wE=Ts(qZdHa(EQ~X2Hm(5az+!{*%K)X z2ReIuE)j)^(MF(g#M|}Bco1Lz;^lc`Xy^WNApZ$8G&FxL*ngHbz&$Tlj!gC~(UeGy zG&|V<-|Dm^qe|495J^lFjrrLMX=rHvUYaHRlB-Z`Zqik8s!T&e^DjbvRtu_B3UB5n zO{z#kL-TKk9{8f6p`oFnp`oFnp`oFnp`oFnp`oFnp`oFnp`oFnp`oD>5CH!JCr*l00000NkvXXu0mjfZB0Zo literal 0 HcmV?d00001 diff --git a/project-resources/security-hygiene-guide.md b/project-resources/security-hygiene-guide.md index 5758bcfc3..78914b211 100644 --- a/project-resources/security-hygiene-guide.md +++ b/project-resources/security-hygiene-guide.md @@ -15,7 +15,7 @@ Security Guidelines for New Projects aims to provide recommendations for new pro 4. Incident management 5. Badging -![](../images/SecurityGuidelines.png) +![](./SecurityGuidelines.png) **Figure 1**. An overview of security guidelines for new projects @@ -231,10 +231,10 @@ The [OpenSSF Scorecards](https://securityscorecards.dev/) project helps quickly This paper is influenced by the publications of CNCF Technical Advisory Group for Security, particularly the Cloud Native Security Whitepaper[[1]] and Software Supply Chain Security Best Practices Whitepaper,[[2]] and CNCF Cloud Native Security Map[[3]], programs and initiatives by OpenSSF[[4]] [[6]]. Our sincere gratitude for the contributors of these programs and publications, and to Emily Fox for suggesting the creation of this paper, to the contributors and reviewers of this paper. -[1]: https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md -[2]: https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf +[1]: /security-whitepaper/v2/cloud-native-security-whitepaper.md +[2]: /supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf [3]: https://cnsmap.github.io/ [4]: https://bestpractices.coreinfrastructure.org/en -[5]: https://github.com/cncf/tag-security/blob/main/PUBLICATIONS.md +[5]: /publications/README.md [6]: https://securityscorecards.dev/ [7]: https://clomonitor.io/ From 412492f06e7fb30bdc9d7a8864c4b988bef9b98b Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 25 Jun 2024 22:34:09 -0700 Subject: [PATCH 3/4] linting links Signed-off-by: Eddie Knight --- project-resources/security-hygiene-guide.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/project-resources/security-hygiene-guide.md b/project-resources/security-hygiene-guide.md index 78914b211..b29365753 100644 --- a/project-resources/security-hygiene-guide.md +++ b/project-resources/security-hygiene-guide.md @@ -65,7 +65,7 @@ We recommend that any change to the repository should be introduced as part of a ### Issue template -Any ideas, bugs or enhancement suggestions reported to the project need to be tracked, and can then be discussed, triaged and prioritized/de-prioritized for implementation. GitHub Issues are one such avenue that allows tracking and managing ideas until they are brought to fruition. We recommend the following template for proposing changes to the project [CNCF TAG Security Project Resouces - Issue Template](https://github.com/cncf/tag-security/blob/main/project-resources/templates/ISSUE_TEMPLATE.md). +Any ideas, bugs or enhancement suggestions reported to the project need to be tracked, and can then be discussed, triaged and prioritized/de-prioritized for implementation. GitHub Issues are one such avenue that allows tracking and managing ideas until they are brought to fruition. We recommend the following template for proposing changes to the project [CNCF TAG Security Project Resouces - Issue Template](/project-resources/templates/ISSUE_TEMPLATE.md). ### Commit signing @@ -85,7 +85,7 @@ Code scanning is an automated security test to identify vulnerabilities and erro In addition to scanning your code for identifying vulnerabilities and errors, managing the vulnerabilities dependencies is also important. [Dependabot](https://github.com/dependabot) is one tool that helps in managing vulnerabilities in dependencies by automatically raising a pull request to update vulnerable versions to secure versions of that dependency. These pull requests can be then analyzed, and further action can be taken. Further details of Dependabot and configuring it in your project code repository can be found at [GitHub Docs - Automatically updating dependencies with known vulnerabilities with Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates). -For further information on securing the code repository, we recommend reviewing the **GitOps section** of the [CNCF Cloud Native Security Whitepaper](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#gitopsnew-in-v2) and the **Control Environments** sections of the [CNCF Software Supply Chain Best Practices paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) +For further information on securing the code repository, we recommend reviewing the **GitOps section** of the [CNCF Cloud Native Security Whitepaper](/security-whitepaper/v2/cloud-native-security-whitepaper.md#gitopsnew-in-v2) and the **Control Environments** sections of the [CNCF Software Supply Chain Best Practices paper](/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) ## 2. Self-assessment @@ -104,13 +104,13 @@ Self-assessment dives into the following aspects of the project to understand th 7. Secure development practices 8. Resolving security issues -A template to perform the self assessment is available at [CNCF TAG Security Project Resouces - Self-assessment](https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md). All the assessments (self-assessment and joint assessment) conducted by TAG Security can be found at TAG Security GitHub repository. As an example, self assessments are available within the dedicated project folders at [Assessments folder of the CNCF TAG Security GitHub repository](https://github.com/cncf/tag-security/tree/main/assessments/projects). Further sections (SECURITY.md in particular) in this document provide some of the pointers to address the gaps and create the necessary process & documentation. +A template to perform the self assessment is available at [CNCF TAG Security Project Resouces - Self-assessment](/community/assessments/guide/self-assessment.md). All the assessments (self-assessment and joint assessment) conducted by TAG Security can be found at TAG Security GitHub repository. As an example, self assessments are available within the dedicated project folders at [Assessments folder of the CNCF TAG Security GitHub repository](/community/assessments/projects). Further sections (SECURITY.md in particular) in this document provide some of the pointers to address the gaps and create the necessary process & documentation. ## 3. SECURITY.md Awareness and processes are a big part of enforcing security in any project. A SECURITY.md file in your repository should talk about the security considerations of the project, and the efforts undertaken to ensure that there are policies and processes in place to report vulnerabilities to the project maintainers, and for project maintainers to notify the community of the status of the vulnerabilities. It should also list the dedicated personnel responsible to address these vulnerabilities in a timely manner. In GitHub, the SECURITY.md file creates a security policy, and when someone creates an issue in your repository, they will see a link to your project's security policy. Further information regarding security policy is available at [GitHub Docs - Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository). -CNCF Technical Advisory Group for Security maintains a number of templates to assist projects in addressing these sections, which can be found at [CNCF TAG Security GitHub repository, under Project Resouces folder](https://github.com/cncf/tag-security/tree/main/project-resources). A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on. +CNCF Technical Advisory Group for Security maintains a number of templates to assist projects in addressing these sections, which can be found at [CNCF TAG Security GitHub repository, under Project Resouces folder](/project-resources). A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on. Disclaimer: These resources are designed to be helpful to projects and organizations, they require customization and configuration by the project intending to use them. It does not prevent security issues from being found in a project, will not automatically resolve them, and does not place CNCF Security TAG as the responsible party. If changes are made to these templates, projects are not required to pull in a new update. @@ -120,7 +120,7 @@ This document is an outcome of the self-assessment which articulates all the mea ## 3.2 Security contacts -This document states who are the personnel to reach out to in case of any security questions regarding the project, including but not limited to the triaging and handling of incoming security issues or security reports. Security contacts could be external participants and are not limited to being the maintainers of the projects. A template for this document is available at [CNCF TAG Security Project Resouces - Security Contacts](https://github.com/cncf/tag-security/blob/main/project-resources/templates/SECURITY_CONTACTS.md) +This document states who are the personnel to reach out to in case of any security questions regarding the project, including but not limited to the triaging and handling of incoming security issues or security reports. Security contacts could be external participants and are not limited to being the maintainers of the projects. A template for this document is available at [CNCF TAG Security Project Resouces - Security Contacts](/project-resources/templates/SECURITY_CONTACTS.md) **NOTE** @@ -130,7 +130,7 @@ CNCF could help create a mailing address (through service desk ticket) should pr Vulnerabilities are sensitive information and exposure of information regarding vulnerabilities without the availability of a patch generates unintended risk for all the consumers of this project, hence it should be handled with caution. -At a minimum, the vulnerability reporting policy projects should include is as follows, A template for this document is available at [CNCF TAG Security Project Resouces - Reporting a Vulnerability](https://github.com/cncf/tag-security/blob/main/project-resources/templates/SECURITY.md#reporting-a-vulnerability): +At a minimum, the vulnerability reporting policy projects should include is as follows, A template for this document is available at [CNCF TAG Security Project Resouces - Reporting a Vulnerability](/project-resources/templates/SECURITY.md#reporting-a-vulnerability): 1. The medium to report vulnerabilities - Email, Web form etc. 2. Disclosure timeline @@ -152,7 +152,7 @@ The vulnerabilities reported to the project are then handled by the security poi 5. The consequences of any violations 6. Disclosure timeline -A template for this document is available at [CNCF TAG Security Project Resouces - Embargo Policy](https://github.com/cncf/tag-security/blob/main/project-resources/templates/embargo-policy.md) +A template for this document is available at [CNCF TAG Security Project Resouces - Embargo Policy](/project-resources/templates/embargo-policy.md) ## 3.5 Security notifications @@ -168,7 +168,7 @@ The vulnerabilities may need to be reported to certain stakeholders, and for thi 8. Timeline of events associated with this notification 9. Any additional information relevant for this notification -A template for this notification is available at [CNCF TAG Security Project Resouces - Embargo](https://github.com/cncf/tag-security/blob/main/project-resources/templates/embargo.md) +A template for this notification is available at [CNCF TAG Security Project Resouces - Embargo](/project-resources/templates/embargo.md) ## 4. Incident Response @@ -188,7 +188,7 @@ Incidence response primarily states how the vulnerability is triaged, replicated 1. If a CVE is already present, request the CVE 4. Patch publication and Notification -In addition to the above, you could also consider adding relevant timelines, including but not limited to third party disclosure timelines. A template for the incident management process is available at [CNCF TAG Security Project Resouces - Incident Response](https://github.com/cncf/tag-security/blob/main/project-resources/templates/incident-response.md) +In addition to the above, you could also consider adding relevant timelines, including but not limited to third party disclosure timelines. A template for the incident management process is available at [CNCF TAG Security Project Resouces - Incident Response](/project-resources/templates/incident-response.md) ## 5. OpenSSF best practices badging From 16523ab670a78b566123459e18814977748b784e Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 26 Jun 2024 08:44:02 -0700 Subject: [PATCH 4/4] Spelling fixes Signed-off-by: Eddie Knight --- ci/spelling-config.json | 13 ++++++++++++- project-resources/security-hygiene-guide.md | 16 ++++++++-------- 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/ci/spelling-config.json b/ci/spelling-config.json index ec6bb0e55..4bb829b69 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -8,13 +8,16 @@ "words": [ "ABAC", "addfetnetgrent", + "Aniszczyk", "antifragile", "APAC", "archives", "ATT&CK", "backdoors", + "Benedictis", "Buildpacks", "BYOK", + "Cappos", "cgroups", "chainguard", "cisecurity", @@ -104,20 +107,25 @@ "pearweb", "PHP", "protobuf", + "Pronin", "ptree", "pyproject", + "Razzak", "RBAC", "Rego", "Roadmap", + "Ragashree", "runtimes", "sandboxed", "sandboxing", "Sarbanes", + "Sergey", "SAST", "SBOM", "sdlc", "seccomp", "semgrep", + "Shlomo", "Sigstore", "SLSA", "snyk", @@ -134,6 +142,7 @@ "Syft", "syscall", "TAR", + "timeframe", "TOCTOU", "toolset", "triage", @@ -151,6 +160,8 @@ "usecase", "venv", "Virtool", - "Wolt" + "Wolt", + "Yubi", + "Zalman" ] } diff --git a/project-resources/security-hygiene-guide.md b/project-resources/security-hygiene-guide.md index b29365753..87af35a9b 100644 --- a/project-resources/security-hygiene-guide.md +++ b/project-resources/security-hygiene-guide.md @@ -65,7 +65,7 @@ We recommend that any change to the repository should be introduced as part of a ### Issue template -Any ideas, bugs or enhancement suggestions reported to the project need to be tracked, and can then be discussed, triaged and prioritized/de-prioritized for implementation. GitHub Issues are one such avenue that allows tracking and managing ideas until they are brought to fruition. We recommend the following template for proposing changes to the project [CNCF TAG Security Project Resouces - Issue Template](/project-resources/templates/ISSUE_TEMPLATE.md). +Any ideas, bugs or enhancement suggestions reported to the project need to be tracked, and can then be discussed, triaged and prioritized/de-prioritized for implementation. GitHub Issues are one such avenue that allows tracking and managing ideas until they are brought to fruition. We recommend the following template for proposing changes to the project [CNCF TAG Security Project Resources - Issue Template](/project-resources/templates/ISSUE_TEMPLATE.md). ### Commit signing @@ -104,13 +104,13 @@ Self-assessment dives into the following aspects of the project to understand th 7. Secure development practices 8. Resolving security issues -A template to perform the self assessment is available at [CNCF TAG Security Project Resouces - Self-assessment](/community/assessments/guide/self-assessment.md). All the assessments (self-assessment and joint assessment) conducted by TAG Security can be found at TAG Security GitHub repository. As an example, self assessments are available within the dedicated project folders at [Assessments folder of the CNCF TAG Security GitHub repository](/community/assessments/projects). Further sections (SECURITY.md in particular) in this document provide some of the pointers to address the gaps and create the necessary process & documentation. +A template to perform the self assessment is available at [CNCF TAG Security Project Resources - Self-assessment](/community/assessments/guide/self-assessment.md). All the assessments (self-assessment and joint assessment) conducted by TAG Security can be found at TAG Security GitHub repository. As an example, self assessments are available within the dedicated project folders at [Assessments folder of the CNCF TAG Security GitHub repository](/community/assessments/projects). Further sections (SECURITY.md in particular) in this document provide some of the pointers to address the gaps and create the necessary process & documentation. ## 3. SECURITY.md Awareness and processes are a big part of enforcing security in any project. A SECURITY.md file in your repository should talk about the security considerations of the project, and the efforts undertaken to ensure that there are policies and processes in place to report vulnerabilities to the project maintainers, and for project maintainers to notify the community of the status of the vulnerabilities. It should also list the dedicated personnel responsible to address these vulnerabilities in a timely manner. In GitHub, the SECURITY.md file creates a security policy, and when someone creates an issue in your repository, they will see a link to your project's security policy. Further information regarding security policy is available at [GitHub Docs - Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository). -CNCF Technical Advisory Group for Security maintains a number of templates to assist projects in addressing these sections, which can be found at [CNCF TAG Security GitHub repository, under Project Resouces folder](/project-resources). A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on. +CNCF Technical Advisory Group for Security maintains a number of templates to assist projects in addressing these sections, which can be found at [CNCF TAG Security GitHub repository, under Project resources folder](/project-resources). A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on. Disclaimer: These resources are designed to be helpful to projects and organizations, they require customization and configuration by the project intending to use them. It does not prevent security issues from being found in a project, will not automatically resolve them, and does not place CNCF Security TAG as the responsible party. If changes are made to these templates, projects are not required to pull in a new update. @@ -120,7 +120,7 @@ This document is an outcome of the self-assessment which articulates all the mea ## 3.2 Security contacts -This document states who are the personnel to reach out to in case of any security questions regarding the project, including but not limited to the triaging and handling of incoming security issues or security reports. Security contacts could be external participants and are not limited to being the maintainers of the projects. A template for this document is available at [CNCF TAG Security Project Resouces - Security Contacts](/project-resources/templates/SECURITY_CONTACTS.md) +This document states who are the personnel to reach out to in case of any security questions regarding the project, including but not limited to the triaging and handling of incoming security issues or security reports. Security contacts could be external participants and are not limited to being the maintainers of the projects. A template for this document is available at [CNCF TAG Security Project resources - Security Contacts](/project-resources/templates/SECURITY_CONTACTS.md) **NOTE** @@ -130,7 +130,7 @@ CNCF could help create a mailing address (through service desk ticket) should pr Vulnerabilities are sensitive information and exposure of information regarding vulnerabilities without the availability of a patch generates unintended risk for all the consumers of this project, hence it should be handled with caution. -At a minimum, the vulnerability reporting policy projects should include is as follows, A template for this document is available at [CNCF TAG Security Project Resouces - Reporting a Vulnerability](/project-resources/templates/SECURITY.md#reporting-a-vulnerability): +At a minimum, the vulnerability reporting policy projects should include is as follows, A template for this document is available at [CNCF TAG Security Project resources - Reporting a Vulnerability](/project-resources/templates/SECURITY.md#reporting-a-vulnerability): 1. The medium to report vulnerabilities - Email, Web form etc. 2. Disclosure timeline @@ -152,7 +152,7 @@ The vulnerabilities reported to the project are then handled by the security poi 5. The consequences of any violations 6. Disclosure timeline -A template for this document is available at [CNCF TAG Security Project Resouces - Embargo Policy](/project-resources/templates/embargo-policy.md) +A template for this document is available at [CNCF TAG Security Project resources - Embargo Policy](/project-resources/templates/embargo-policy.md) ## 3.5 Security notifications @@ -168,7 +168,7 @@ The vulnerabilities may need to be reported to certain stakeholders, and for thi 8. Timeline of events associated with this notification 9. Any additional information relevant for this notification -A template for this notification is available at [CNCF TAG Security Project Resouces - Embargo](/project-resources/templates/embargo.md) +A template for this notification is available at [CNCF TAG Security Project resources - Embargo](/project-resources/templates/embargo.md) ## 4. Incident Response @@ -188,7 +188,7 @@ Incidence response primarily states how the vulnerability is triaged, replicated 1. If a CVE is already present, request the CVE 4. Patch publication and Notification -In addition to the above, you could also consider adding relevant timelines, including but not limited to third party disclosure timelines. A template for the incident management process is available at [CNCF TAG Security Project Resouces - Incident Response](/project-resources/templates/incident-response.md) +In addition to the above, you could also consider adding relevant timelines, including but not limited to third party disclosure timelines. A template for the incident management process is available at [CNCF TAG Security Project resources - Incident Response](/project-resources/templates/incident-response.md) ## 5. OpenSSF best practices badging