1curl security process 2===================== 3 4This document describes how security vulnerabilities should be handled in the 5curl project. 6 7Publishing Information 8---------------------- 9 10All known and public curl or libcurl related vulnerabilities are listed on 11[the curl website security page](https://curl.se/docs/security.html). 12 13Security vulnerabilities **should not** be entered in the project's public bug 14tracker. 15 16Vulnerability Handling 17---------------------- 18 19The typical process for handling a new security vulnerability is as follows. 20 21No information should be made public about a vulnerability until it is 22formally announced at the end of this process. That means, for example that a 23bug tracker entry must NOT be created to track the issue since that will make 24the issue public and it should not be discussed on any of the project's public 25mailing lists. Also messages associated with any commits should not make any 26reference to the security nature of the commit if done prior to the public 27announcement. 28 29- The person discovering the issue, the reporter, reports the vulnerability on 30 [https://hackerone.com/curl](https://hackerone.com/curl). Issues filed there 31 reach a handful of selected and trusted people. 32 33- Messages that do not relate to the reporting or managing of an undisclosed 34 security vulnerability in curl or libcurl are ignored and no further action 35 is required. 36 37- A person in the security team responds to the original report to acknowledge 38 that a human has seen the report. 39 40- The security team investigates the report and either rejects it or accepts 41 it. 42 43- If the report is rejected, the team writes to the reporter to explain why. 44 45- If the report is accepted, the team writes to the reporter to let him/her 46 know it is accepted and that they are working on a fix. 47 48- The security team discusses the problem, works out a fix, considers the 49 impact of the problem and suggests a release schedule. This discussion 50 should involve the reporter as much as possible. 51 52- The release of the information should be "as soon as possible" and is most 53 often synchronized with an upcoming release that contains the fix. If the 54 reporter, or anyone else involved, thinks the next planned release is too 55 far away, then a separate earlier release should be considered. 56 57- Write a security advisory draft about the problem that explains what the 58 problem is, its impact, which versions it affects, solutions or workarounds, 59 when the release is out and make sure to credit all contributors properly. 60 Figure out the CWE (Common Weakness Enumeration) number for the flaw. 61 62- Request a CVE number from 63 [HackerOne](https://docs.hackerone.com/programs/cve-requests.html) 64 65- Update the "security advisory" with the CVE number. 66 67- The security team commits the fix in a private branch. The commit message 68 should ideally contain the CVE number. 69 70- The security team also decides on and delivers a monetary reward to the 71 reporter as per the bug-bounty polices. 72 73- No more than 10 days before release, inform 74 [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) 75 to prepare them about the upcoming public security vulnerability 76 announcement - attach the advisory draft for information with CVE and 77 current patch. 'distros' does not accept an embargo longer than 14 days and 78 they do not care for Windows-specific flaws. 79 80- No more than 48 hours before the release, the private branch is merged into 81 the master branch and pushed. Once pushed, the information is accessible to 82 the public and the actual release should follow suit immediately afterwards. 83 The time between the push and the release is used for final tests and 84 reviews. 85 86- The project team creates a release that includes the fix. 87 88- The project team announces the release and the vulnerability to the world in 89 the same manner we always announce releases. It gets sent to the 90 curl-announce, curl-library and curl-users mailing lists. 91 92- The security web page on the website should get the new vulnerability 93 mentioned. 94 95security (at curl dot se) 96------------------------------ 97 98This is a private mailing list for discussions on and about curl security 99issues. 100 101Who is on this list? There are a couple of criteria you must meet, and then we 102might ask you to join the list or you can ask to join it. It really isn't very 103formal. We basically only require that you have a long-term presence in the 104curl project and you have shown an understanding for the project and its way 105of working. You must've been around for a good while and you should have no 106plans in vanishing in the near future. 107 108We do not make the list of participants public mostly because it tends to vary 109somewhat over time and a list somewhere will only risk getting outdated. 110 111Publishing Security Advisories 112------------------------------ 113 1141. Write up the security advisory, using markdown syntax. Use the same 115 subtitles as last time to maintain consistency. 116 1172. Name the advisory file after the allocated CVE id. 118 1193. Add a line on the top of the array in `curl-www/docs/vuln.pm'. 120 1214. Put the new advisory markdown file in the curl-www/docs/ directory. Add it 122 to the git repo. 123 1245. Run `make` in your local web checkout and verify that things look fine. 125 1266. On security advisory release day, push the changes on the curl-www 127 repository's remote master branch. 128 129Hackerone 130--------- 131 132Request the issue to be disclosed. If there are sensitive details present in 133the report and discussion, those should be redacted from the disclosure. The 134default policy is to disclose as much as possible as soon as the vulnerability 135has been published. 136 137Bug Bounty 138---------- 139 140See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the 141bug bounty program. 142