diff options
Diffstat (limited to 'docs/SECURITY-PROCESS.md')
| -rw-r--r-- | docs/SECURITY-PROCESS.md | 59 |
1 files changed, 26 insertions, 33 deletions
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md index 9dd4cb77b..e844a9a90 100644 --- a/docs/SECURITY-PROCESS.md +++ b/docs/SECURITY-PROCESS.md @@ -10,9 +10,8 @@ Publishing Information All known and public curl or libcurl related vulnerabilities are listed on [the curl web site security page](https://curl.haxx.se/docs/security.html). -Security vulnerabilities should not be entered in the project's public bug -tracker unless the necessary configuration is in place to limit access to the -issue to only the reporter and the project's security team. +Security vulnerabilities **should not** be entered in the project's public bug +tracker. Vulnerability Handling ---------------------- @@ -23,20 +22,20 @@ No information should be made public about a vulnerability until it is formally announced at the end of this process. That means, for example that a bug tracker entry must NOT be created to track the issue since that will make the issue public and it should not be discussed on any of the project's public -mailing lists. Also messages associated with any commits should not make -any reference to the security nature of the commit if done prior to the public +mailing lists. Also messages associated with any commits should not make any +reference to the security nature of the commit if done prior to the public announcement. -- The person discovering the issue, the reporter, reports the vulnerability - privately to `curl-security@haxx.se`. That's an email alias that reaches a - handful of selected and trusted people. +- The person discovering the issue, the reporter, reports the vulnerability on + [https://hackerone.com/curl](https://hackerone.com/curl). Issues filed there + reach a handful of selected and trusted people. - Messages that do not relate to the reporting or managing of an undisclosed security vulnerability in curl or libcurl are ignored and no further action is required. -- A person in the security team sends an e-mail to the original reporter to - acknowledge the report. +- A person in the security team responds to the original report to acknowledge + that a human has seen the report. - The security team investigates the report and either rejects it or accepts it. @@ -51,9 +50,9 @@ announcement. should involve the reporter as much as possible. - The release of the information should be "as soon as possible" and is most - often synced with an upcoming release that contains the fix. If the - reporter, or anyone else, thinks the next planned release is too far away - then a separate earlier release for security reasons should be considered. + often synchronized with an upcoming release that contains the fix. If the + reporter, or anyone else involved, thinks the next planned release is too + far away, then a separate earlier release should be considered. - Write a security advisory draft about the problem that explains what the problem is, its impact, which versions it affects, solutions or workarounds, @@ -61,12 +60,14 @@ announcement. Figure out the CWE (Common Weakness Enumeration) number for the flaw. - Request a CVE number from + [HackerOne](https://docs.hackerone.com/programs/cve-requests.html) + +- Consider informing [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) - when also informing and preparing them for the upcoming public security - vulnerability announcement - attach the advisory draft for information. Note - that 'distros' won't accept an embargo longer than 14 days and they do not - care for Windows-specific flaws. For windows-specific flaws, request CVE - directly from MITRE. + to prepare them about the upcoming public security vulnerability + announcement - attach the advisory draft for information. Note that + 'distros' won't accept an embargo longer than 14 days and they do not care + for Windows-specific flaws. - Update the "security advisory" with the CVE number. @@ -93,6 +94,9 @@ announcement. curl-security (at haxx dot se) ------------------------------ +This is a private mailing list for discussions on and about curl security +issues. + Who is on this list? There are a couple of criteria you must meet, and then we might ask you to join the list or you can ask to join it. It really isn't very formal. We basically only require that you have a long-term presence in the @@ -121,19 +125,8 @@ Publishing Security Advisories 6. On security advisory release day, push the changes on the curl-www repository's remote master branch. -Bountygraph Bug Bounty ----------------------- - -The curl project runs a bug bounty program in association with -bountygraph.com. - -After you have reported a security issue to the curl project, it has been -deemed credible and a patch and advisory has been made public you can be -eligible for a bounty from this program. - -See all details at [BountyGraph](https://bountygraph.com/programs/curl). - -This bounty is relying on funds from -[sponsors](https://bountygraph.com/programs/curl#publicpledges). If you use -curl professionally, consider help funding this! +Bug Bounty +---------- +See [BUG-BOUNTY](https://curl.haxx.se/docs/bugbounty.html) for details on the +bug bounty program. |