1                                  _   _ ____  _
2                              ___| | | |  _ \| |
3                             / __| | | | |_) | |
4                            | (__| |_| |  _ <| |___
5                             \___|\___/|_| \_\_____|
6
7curl security for developers
8============================
9
10This document is intended to provide guidance to curl developers on how
11security vulnerabilities should be handled.
12
13Publishing Information
14----------------------
15
16All known and public curl or libcurl related vulnerabilities are listed on
17[the curl web site security page](http://curl.haxx.se/docs/security.html).
18
19Security vulnerabilities should not be entered in the project's public bug
20tracker unless the necessary configuration is in place to limit access to the
21issue to only the reporter and the project's security team.
22
23Vulnerability Handling
24----------------------
25
26The typical process for handling a new security vulnerability is as follows.
27
28No information should be made public about a vulnerability until it is
29formally announced at the end of this process. That means, for example that a
30bug tracker entry must NOT be created to track the issue since that will make
31the issue public and it should not be discussed on any of the project's public
32mailing lists. Also messages associated with any commits should not make
33any reference to the security nature of the commit if done prior to the public
34announcement.
35
36- The person discovering the issue, the reporter, reports the vulnerability
37  privately to `curl-security@haxx.se`. That's an email alias that reaches a
38  handful of selected and trusted people.
39
40- Messages that do not relate to the reporting or managing of an undisclosed
41  security vulnerability in curl or libcurl are ignored and no further action
42  is required.
43
44- A person in the security team sends an e-mail to the original reporter to
45  acknowledge the report.
46
47- The security team investigates the report and either rejects it or accepts
48  it.
49
50- If the report is rejected, the team writes to the reporter to explain why.
51
52- If the report is accepted, the team writes to the reporter to let him/her
53  know it is accepted and that they are working on a fix.
54
55- The security team discusses the problem, works out a fix, considers the
56  impact of the problem and suggests a release schedule. This discussion
57  should involve the reporter as much as possible.
58
59- The release of the information should be "as soon as possible" and is most
60  often synced with an upcoming release that contains the fix. If the
61  reporter, or anyone else, thinks the next planned release is too far away
62  then a separate earlier release for security reasons should be considered.
63
64- Write a security advisory draft about the problem that explains what the
65  problem is, its impact, which versions it affects, solutions or
66  workarounds, when the release is out and make sure to credit all
67  contributors properly.
68
69- Request a CVE number from distros@openwall[1] when also informing and
70  preparing them for the upcoming public security vulnerability announcement -
71  attach the advisory draft for information. Note that 'distros' won't accept
72  an embargo longer than 19 days.
73
74- Update the "security advisory" with the CVE number.
75
76- The security team commits the fix in a private branch. The commit message
77  should ideally contain the CVE number. This fix is usually also distributed
78  to the 'distros' mailing list to allow them to use the fix prior to the
79  public announcement.
80
81- At the day of the next release, the private branch is merged into the master
82  branch and pushed. Once pushed, the information is accessible to the public
83  and the actual release should follow suit immediately afterwards.
84
85- The project team creates a release that includes the fix.
86
87- The project team announces the release and the vulnerability to the world in
88  the same manner we always announce releases. It gets sent to the
89  curl-announce, curl-library and curl-users mailing lists.
90
91- The security web page on the web site should get the new vulnerability
92  mentioned.
93
94[1] = http://oss-security.openwall.org/wiki/mailing-lists/distros
95
96CURL-SECURITY (at haxx dot se)
97------------------------------
98
99Who is on this list? There are a couple of criteria you must meet, and then we
100might ask you to join the list or you can ask to join it. It really isn't very
101formal. We basically only require that you have a long-term presence in the
102curl project and you have shown an understanding for the project and its way
103of working. You must've been around for a good while and you should have no
104plans in vanishing in the near future.
105
106We do not make the list of partipants public mostly because it tends to vary
107somewhat over time and a list somewhere will only risk getting outdated.
108