1curl security process
2=====================
3
4This document describes how security vulnerabilities should be handled in the
5curl project.
6
7Publishing Information
8----------------------
9
10All known and public curl or libcurl related vulnerabilities are listed on
11[the curl web site security page](https://curl.haxx.se/docs/security.html).
12
13Security vulnerabilities **should not** be entered in the project's public bug
14tracker.
15
16Vulnerability Handling
17----------------------
18
19The typical process for handling a new security vulnerability is as follows.
20
21No information should be made public about a vulnerability until it is
22formally announced at the end of this process. That means, for example that a
23bug tracker entry must NOT be created to track the issue since that will make
24the issue public and it should not be discussed on any of the project's public
25mailing lists. Also messages associated with any commits should not make any
26reference to the security nature of the commit if done prior to the public
27announcement.
28
29- The person discovering the issue, the reporter, reports the vulnerability on
30  [https://hackerone.com/curl](https://hackerone.com/curl). Issues filed there
31  reach a handful of selected and trusted people.
32
33- Messages that do not relate to the reporting or managing of an undisclosed
34  security vulnerability in curl or libcurl are ignored and no further action
35  is required.
36
37- A person in the security team responds to the original report to acknowledge
38  that a human has seen the report.
39
40- The security team investigates the report and either rejects it or accepts
41  it.
42
43- If the report is rejected, the team writes to the reporter to explain why.
44
45- If the report is accepted, the team writes to the reporter to let him/her
46  know it is accepted and that they are working on a fix.
47
48- The security team discusses the problem, works out a fix, considers the
49  impact of the problem and suggests a release schedule. This discussion
50  should involve the reporter as much as possible.
51
52- The release of the information should be "as soon as possible" and is most
53  often synchronized with an upcoming release that contains the fix. If the
54  reporter, or anyone else involved, thinks the next planned release is too
55  far away, then a separate earlier release should be considered.
56
57- Write a security advisory draft about the problem that explains what the
58  problem is, its impact, which versions it affects, solutions or workarounds,
59  when the release is out and make sure to credit all contributors properly.
60  Figure out the CWE (Common Weakness Enumeration) number for the flaw.
61
62- Request a CVE number from
63  [HackerOne](https://docs.hackerone.com/programs/cve-requests.html)
64
65- Consider informing
66  [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
67  to prepare them about the upcoming public security vulnerability
68  announcement - attach the advisory draft for information. Note that
69  'distros' won't accept an embargo longer than 14 days and they do not care
70  for Windows-specific flaws.
71
72- Update the "security advisory" with the CVE number.
73
74- The security team commits the fix in a private branch. The commit message
75  should ideally contain the CVE number. This fix is usually also distributed
76  to the 'distros' mailing list to allow them to use the fix prior to the
77  public announcement.
78
79- No more than 48 hours before the release, the private branch is merged into
80  the master branch and pushed. Once pushed, the information is accessible to
81  the public and the actual release should follow suit immediately afterwards.
82  The time between the push and the release is used for final tests and
83  reviews.
84
85- The project team creates a release that includes the fix.
86
87- The project team announces the release and the vulnerability to the world in
88  the same manner we always announce releases. It gets sent to the
89  curl-announce, curl-library and curl-users mailing lists.
90
91- The security web page on the web site should get the new vulnerability
92  mentioned.
93
94curl-security (at haxx dot se)
95------------------------------
96
97This is a private mailing list for discussions on and about curl security
98issues.
99
100Who is on this list? There are a couple of criteria you must meet, and then we
101might ask you to join the list or you can ask to join it. It really isn't very
102formal. We basically only require that you have a long-term presence in the
103curl project and you have shown an understanding for the project and its way
104of working. You must've been around for a good while and you should have no
105plans in vanishing in the near future.
106
107We do not make the list of participants public mostly because it tends to vary
108somewhat over time and a list somewhere will only risk getting outdated.
109
110Publishing Security Advisories
111------------------------------
112
1131. Write up the security advisory, using markdown syntax. Use the same
114   subtitles as last time to maintain consistency.
115
1162. Name the advisory file after the allocated CVE id.
117
1183. Add a line on the top of the array in `curl-www/docs/vuln.pm'.
119
1204. Put the new advisory markdown file in the curl-www/docs/ directory. Add it
121   to the git repo.
122
1235. Run `make` in your local web checkout and verify that things look fine.
124
1256. On security advisory release day, push the changes on the curl-www
126   repository's remote master branch.
127
128Bug Bounty
129----------
130
131See [BUG-BOUNTY](https://curl.haxx.se/docs/bugbounty.html) for details on the
132bug bounty program.
133