diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-03-14 14:20:24 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-03-14 14:20:24 +0100 |
commit | a857057536df6e55cb8eec0f894c192fe594272d (patch) | |
tree | 99322016ab0b732170aa7d1201e635b99361f77c | |
parent | 920f73a6906dce87c6ee87c32b109a287189965d (diff) |
SECURITY-PROCESS: mention how we write/add advisories
-rw-r--r-- | docs/SECURITY-PROCESS.md | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md index d39c5a1fb..4991d5fb7 100644 --- a/docs/SECURITY-PROCESS.md +++ b/docs/SECURITY-PROCESS.md @@ -56,9 +56,9 @@ announcement. then a separate earlier release for security reasons should be considered. - Write a security advisory draft about the problem that explains what the - problem is, its impact, which versions it affects, solutions or - workarounds, when the release is out and make sure to credit all - contributors properly. + problem is, its impact, which versions it affects, solutions or workarounds, + when the release is out and make sure to credit all contributors properly. + Figure out the CWE (Common Weakness Enumeration) number for the flaw. - Request a CVE number from [distros@openwall](http://oss-security.openwall.org/wiki/mailing-lists/distros) @@ -114,3 +114,26 @@ plans in vanishing in the near future. We do not make the list of participants public mostly because it tends to vary somewhat over time and a list somewhere will only risk getting outdated. + +Publishing Security Advisories +------------------------------ + +1. Write up the security advisory, using markdown syntax. Use the same + subtitles as last time to maintain consistency. + +2. Name the advisory file (and ultimately the URL to be used when the flaw + gets published), using a randomized component so that third parties that + are involved in the process for each individual flaw will not be given + insights about possible *other* flaws worked on in parallel. + `adv_YEAR_RANDOM.md` has been used before. + +3. Add a line on the top of the array in `curl-www/docs/vuln.pm'. + +4. Put the new advisory markdown file in the curl-www/docs/ directory. Add it + to the git repo. Update the Makefile in the same directory to build the + HTML representation. + +5. Run `make` in your local web checkout and verify that things look fine. + +6. On security advisory release day, push the changes on the curl-www + repository's remote master branch. |