generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SECURITY: slightly nicer markdown format

Browse Source
This commit is contained in:
Daniel Stenberg 2014-10-10 10:50:23 +02:00
parent 4f3ba55ed1
commit c6c22aeb44
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
docs/SECURITY
View File

@ -4,21 +4,24 @@
| (__| |_| | _ <| |___ | (__| |_| | _ <| |___
\___|\___/|_| \_\_____| \___|\___/|_| \_\_____|
CURL SECURITY FOR DEVELOPERS curl security for developers
============================
This document is intended to provide guidance to curl developers on how This document is intended to provide guidance to curl developers on how
security vulnerabilities should be handled. security vulnerabilities should be handled.
PUBLISHING INFORMATION Publishing Information
----------------------
All known and public curl or libcurl related vulnerabilities are listed at All known and public curl or libcurl related vulnerabilities are listed on
http://curl.haxx.se/docs/security.html [the curl web site security page](http://curl.haxx.se/docs/security.html).
Security vulnerabilities should not be entered in the project's public bug Security vulnerabilities should not be entered in the project's public bug
tracker unless the necessary configuration is in place to limit access to the tracker unless the necessary configuration is in place to limit access to the
issue to only the reporter and the project's security team. issue to only the reporter and the project's security team.
VULNERABILITY HANDLING Vulnerability Handling
----------------------
The typical process for handling a new security vulnerability is as follows. The typical process for handling a new security vulnerability is as follows.
@ -31,7 +34,7 @@ any reference to the security nature of the commit if done prior to the public
announcement. announcement.
- The person discovering the issue, the reporter, reports the vulnerability - The person discovering the issue, the reporter, reports the vulnerability
privately to curl-security@haxx.se. That's an email alias that reaches a privately to `curl-security@haxx.se`. That's an email alias that reaches a
handful of selected and trusted people. handful of selected and trusted people.
- Messages that do not relate to the reporting or managing of an undisclosed - Messages that do not relate to the reporting or managing of an undisclosed
@ -63,7 +66,7 @@ announcement.
workarounds, when the release is out and make sure to credit all workarounds, when the release is out and make sure to credit all
contributors properly. contributors properly.
- Request a CVE number from distros@openwall.org[1] when also informing and - Request a CVE number from distros@openwall[1] when also informing and
preparing them for the upcoming public security vulnerability announcement - preparing them for the upcoming public security vulnerability announcement -
attach the advisory draft for information. Note that 'distros' won't accept attach the advisory draft for information. Note that 'distros' won't accept
an embargo longer than 19 days. an embargo longer than 19 days.
@ -91,6 +94,7 @@ announcement.
[1] = http://oss-security.openwall.org/wiki/mailing-lists/distros [1] = http://oss-security.openwall.org/wiki/mailing-lists/distros
CURL-SECURITY (at haxx dot se) CURL-SECURITY (at haxx dot se)
------------------------------
Who is on this list? There are a couple of criteria you must meet, and then we Who is on this list? There are a couple of criteria you must meet, and then we
might ask you to join the list or you can ask to join it. It really isn't very might ask you to join the list or you can ask to join it. It really isn't very