1curl security process 2===================== 3 4This document describes how security vulnerabilities should be handled in the 5curl project. 6 7Publishing Information 8---------------------- 9 10All known and public curl or libcurl related vulnerabilities are listed on 11[the curl web site security page](https://curl.haxx.se/docs/security.html). 12 13Security vulnerabilities should not be entered in the project's public bug 14tracker unless the necessary configuration is in place to limit access to the 15issue to only the reporter and the project's security team. 16 17Vulnerability Handling 18---------------------- 19 20The typical process for handling a new security vulnerability is as follows. 21 22No information should be made public about a vulnerability until it is 23formally announced at the end of this process. That means, for example that a 24bug tracker entry must NOT be created to track the issue since that will make 25the issue public and it should not be discussed on any of the project's public 26mailing lists. Also messages associated with any commits should not make 27any reference to the security nature of the commit if done prior to the public 28announcement. 29 30- The person discovering the issue, the reporter, reports the vulnerability 31 privately to `curl-security@haxx.se`. That's an email alias that reaches a 32 handful of selected and trusted people. 33 34- Messages that do not relate to the reporting or managing of an undisclosed 35 security vulnerability in curl or libcurl are ignored and no further action 36 is required. 37 38- A person in the security team sends an e-mail to the original reporter to 39 acknowledge the report. 40 41- The security team investigates the report and either rejects it or accepts 42 it. 43 44- If the report is rejected, the team writes to the reporter to explain why. 45 46- If the report is accepted, the team writes to the reporter to let him/her 47 know it is accepted and that they are working on a fix. 48 49- The security team discusses the problem, works out a fix, considers the 50 impact of the problem and suggests a release schedule. This discussion 51 should involve the reporter as much as possible. 52 53- The release of the information should be "as soon as possible" and is most 54 often synced with an upcoming release that contains the fix. If the 55 reporter, or anyone else, thinks the next planned release is too far away 56 then a separate earlier release for security reasons should be considered. 57 58- Write a security advisory draft about the problem that explains what the 59 problem is, its impact, which versions it affects, solutions or workarounds, 60 when the release is out and make sure to credit all contributors properly. 61 Figure out the CWE (Common Weakness Enumeration) number for the flaw. 62 63- Request a CVE number from 64 [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) 65 when also informing and preparing them for the upcoming public security 66 vulnerability announcement - attach the advisory draft for information. Note 67 that 'distros' won't accept an embargo longer than 14 days and they do not 68 care for Windows-specific flaws. For windows-specific flaws, request CVE 69 directly from MITRE. 70 71- Update the "security advisory" with the CVE number. 72 73- The security team commits the fix in a private branch. The commit message 74 should ideally contain the CVE number. This fix is usually also distributed 75 to the 'distros' mailing list to allow them to use the fix prior to the 76 public announcement. 77 78- No more than 48 hours before the release, the private branch is merged into 79 the master branch and pushed. Once pushed, the information is accessible to 80 the public and the actual release should follow suit immediately afterwards. 81 The time between the push and the release is used for final tests and 82 reviews. 83 84- The project team creates a release that includes the fix. 85 86- The project team announces the release and the vulnerability to the world in 87 the same manner we always announce releases. It gets sent to the 88 curl-announce, curl-library and curl-users mailing lists. 89 90- The security web page on the web site should get the new vulnerability 91 mentioned. 92 93curl-security (at haxx dot se) 94------------------------------ 95 96Who is on this list? There are a couple of criteria you must meet, and then we 97might ask you to join the list or you can ask to join it. It really isn't very 98formal. We basically only require that you have a long-term presence in the 99curl project and you have shown an understanding for the project and its way 100of working. You must've been around for a good while and you should have no 101plans in vanishing in the near future. 102 103We do not make the list of participants public mostly because it tends to vary 104somewhat over time and a list somewhere will only risk getting outdated. 105 106Publishing Security Advisories 107------------------------------ 108 1091. Write up the security advisory, using markdown syntax. Use the same 110 subtitles as last time to maintain consistency. 111 1122. Name the advisory file after the allocated CVE id. 113 1143. Add a line on the top of the array in `curl-www/docs/vuln.pm'. 115 1164. Put the new advisory markdown file in the curl-www/docs/ directory. Add it 117 to the git repo. 118 1195. Run `make` in your local web checkout and verify that things look fine. 120 1216. On security advisory release day, push the changes on the curl-www 122 repository's remote master branch. 123 124Hackerone Internet Bug Bounty 125----------------------------- 126 127The curl project does not run any bounty program on its own, but there are 128outside organizations that do. First report your issue the normal way and 129proceed as described in this document. 130 131Then, if the issue is [critical](https://hackerone.com/ibb-data), you are 132eligible to apply for a bounty from Hackerone for your find. 133 134Once your reported vulnerability has been publicly disclosed by the curl 135project, you can submit a [report to them](https://hackerone.com/ibb-data).