Annotation of embedaddon/curl/docs/SECURITY-PROCESS.md, revision 1.1
1.1 ! misho 1: curl security process
! 2: =====================
! 3:
! 4: This document describes how security vulnerabilities should be handled in the
! 5: curl project.
! 6:
! 7: Publishing Information
! 8: ----------------------
! 9:
! 10: All known and public curl or libcurl related vulnerabilities are listed on
! 11: [the curl web site security page](https://curl.haxx.se/docs/security.html).
! 12:
! 13: Security vulnerabilities **should not** be entered in the project's public bug
! 14: tracker.
! 15:
! 16: Vulnerability Handling
! 17: ----------------------
! 18:
! 19: The typical process for handling a new security vulnerability is as follows.
! 20:
! 21: No information should be made public about a vulnerability until it is
! 22: formally announced at the end of this process. That means, for example that a
! 23: bug tracker entry must NOT be created to track the issue since that will make
! 24: the issue public and it should not be discussed on any of the project's public
! 25: mailing lists. Also messages associated with any commits should not make any
! 26: reference to the security nature of the commit if done prior to the public
! 27: announcement.
! 28:
! 29: - The person discovering the issue, the reporter, reports the vulnerability on
! 30: [https://hackerone.com/curl](https://hackerone.com/curl). Issues filed there
! 31: reach a handful of selected and trusted people.
! 32:
! 33: - Messages that do not relate to the reporting or managing of an undisclosed
! 34: security vulnerability in curl or libcurl are ignored and no further action
! 35: is required.
! 36:
! 37: - A person in the security team responds to the original report to acknowledge
! 38: that a human has seen the report.
! 39:
! 40: - The security team investigates the report and either rejects it or accepts
! 41: it.
! 42:
! 43: - If the report is rejected, the team writes to the reporter to explain why.
! 44:
! 45: - If the report is accepted, the team writes to the reporter to let him/her
! 46: know it is accepted and that they are working on a fix.
! 47:
! 48: - The security team discusses the problem, works out a fix, considers the
! 49: impact of the problem and suggests a release schedule. This discussion
! 50: should involve the reporter as much as possible.
! 51:
! 52: - The release of the information should be "as soon as possible" and is most
! 53: often synchronized with an upcoming release that contains the fix. If the
! 54: reporter, or anyone else involved, thinks the next planned release is too
! 55: far away, then a separate earlier release should be considered.
! 56:
! 57: - Write a security advisory draft about the problem that explains what the
! 58: problem is, its impact, which versions it affects, solutions or workarounds,
! 59: when the release is out and make sure to credit all contributors properly.
! 60: Figure out the CWE (Common Weakness Enumeration) number for the flaw.
! 61:
! 62: - Request a CVE number from
! 63: [HackerOne](https://docs.hackerone.com/programs/cve-requests.html)
! 64:
! 65: - Consider informing
! 66: [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
! 67: to prepare them about the upcoming public security vulnerability
! 68: announcement - attach the advisory draft for information. Note that
! 69: 'distros' won't accept an embargo longer than 14 days and they do not care
! 70: for Windows-specific flaws.
! 71:
! 72: - Update the "security advisory" with the CVE number.
! 73:
! 74: - The security team commits the fix in a private branch. The commit message
! 75: should ideally contain the CVE number. This fix is usually also distributed
! 76: to the 'distros' mailing list to allow them to use the fix prior to the
! 77: public announcement.
! 78:
! 79: - No more than 48 hours before the release, the private branch is merged into
! 80: the master branch and pushed. Once pushed, the information is accessible to
! 81: the public and the actual release should follow suit immediately afterwards.
! 82: The time between the push and the release is used for final tests and
! 83: reviews.
! 84:
! 85: - The project team creates a release that includes the fix.
! 86:
! 87: - The project team announces the release and the vulnerability to the world in
! 88: the same manner we always announce releases. It gets sent to the
! 89: curl-announce, curl-library and curl-users mailing lists.
! 90:
! 91: - The security web page on the web site should get the new vulnerability
! 92: mentioned.
! 93:
! 94: curl-security (at haxx dot se)
! 95: ------------------------------
! 96:
! 97: This is a private mailing list for discussions on and about curl security
! 98: issues.
! 99:
! 100: Who is on this list? There are a couple of criteria you must meet, and then we
! 101: might ask you to join the list or you can ask to join it. It really isn't very
! 102: formal. We basically only require that you have a long-term presence in the
! 103: curl project and you have shown an understanding for the project and its way
! 104: of working. You must've been around for a good while and you should have no
! 105: plans in vanishing in the near future.
! 106:
! 107: We do not make the list of participants public mostly because it tends to vary
! 108: somewhat over time and a list somewhere will only risk getting outdated.
! 109:
! 110: Publishing Security Advisories
! 111: ------------------------------
! 112:
! 113: 1. Write up the security advisory, using markdown syntax. Use the same
! 114: subtitles as last time to maintain consistency.
! 115:
! 116: 2. Name the advisory file after the allocated CVE id.
! 117:
! 118: 3. Add a line on the top of the array in `curl-www/docs/vuln.pm'.
! 119:
! 120: 4. Put the new advisory markdown file in the curl-www/docs/ directory. Add it
! 121: to the git repo.
! 122:
! 123: 5. Run `make` in your local web checkout and verify that things look fine.
! 124:
! 125: 6. On security advisory release day, push the changes on the curl-www
! 126: repository's remote master branch.
! 127:
! 128: Bug Bounty
! 129: ----------
! 130:
! 131: See [BUG-BOUNTY](https://curl.haxx.se/docs/bugbounty.html) for details on the
! 132: bug bounty program.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to SECURITY-PROCESS.md CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / docs