From b974cd374165214bc55712b41082d8b3dba43c67 Mon Sep 17 00:00:00 2001 From: Cory Benfield Date: Tue, 17 Mar 2015 20:07:28 +0000 Subject: [PATCH 1/3] Describe our new vulnerabilities process. --- docs/community/support.rst | 36 ---------- docs/community/vulnerabilities.rst | 102 +++++++++++++++++++++++++++++ docs/index.rst | 1 + 3 files changed, 103 insertions(+), 36 deletions(-) create mode 100644 docs/community/vulnerabilities.rst diff --git a/docs/community/support.rst b/docs/community/support.rst index 96f600a1..63069308 100644 --- a/docs/community/support.rst +++ b/docs/community/support.rst @@ -21,42 +21,6 @@ If your question is less than 140 characters, feel free to send a tweet to `@sigmavirus24 `_, or `@lukasaoz `_. -Vulnerability Disclosure ------------------------- - -If you think you have found a potential security vulnerability in requests, -please email `sigmavirus24 `_ and -`Lukasa `_ directly. **Do not file a public issue.** - -Our PGP Key fingerprints are: - -- 0161 BB7E B208 B5E0 4FDC 9F81 D9DA 0A04 9113 F853 (@sigmavirus24) - -- 90DC AE40 FEA7 4B14 9B70 662D F25F 2144 EEC1 373D (@lukasa) - -If English is not your first language, please try to describe the problem and -its impact to the best of your ability. For greater detail, please use your native -language and we will try our best to translate it using online services. - -Please also include the code you used to find the problem and the shortest amount -of code necessary to reproduce it. - -Please do not disclose this to anyone else. We will retrieve a CVE identifier if -necessary and give you full credit under whatever name or alias you provide. -We will only request an identifier when we have a fix and can publish it in a release. - -We will respect your privacy and will only publicize your involvement if you grant -us permission. - -Previous CVEs -~~~~~~~~~~~~~ - -- Fixed in 2.3.0 - - - `CVE 2014-1829 `_ - - - `CVE 2014-1830 `_ - File an Issue ------------- diff --git a/docs/community/vulnerabilities.rst b/docs/community/vulnerabilities.rst new file mode 100644 index 00000000..09e672ca --- /dev/null +++ b/docs/community/vulnerabilities.rst @@ -0,0 +1,102 @@ +Vulnerability Disclosure +======================== + +If you think you have found a potential security vulnerability in requests, +please email `sigmavirus24 `_ and +`Lukasa `_ directly. **Do not file a public issue.** + +Our PGP Key fingerprints are: + +- 0161 BB7E B208 B5E0 4FDC 9F81 D9DA 0A04 9113 F853 (@sigmavirus24) + +- 90DC AE40 FEA7 4B14 9B70 662D F25F 2144 EEC1 373D (@lukasa) + +If English is not your first language, please try to describe the problem and +its impact to the best of your ability. For greater detail, please use your +native language and we will try our best to translate it using online services. + +Please also include the code you used to find the problem and the shortest +amount of code necessary to reproduce it. + +Please do not disclose this to anyone else. We will retrieve a CVE identifier +if necessary and give you full credit under whatever name or alias you provide. +We will only request an identifier when we have a fix and can publish it in a +release. + +We will respect your privacy and will only publicize your involvement if you +grant us permission. + +Process +------- + +This following information discusses the process the requests project follows +in response to vulnerability disclosures. If you are disclosing a +vulnerability, this section of the documentation lets you know how we will +respond to your disclosure. + +Timeline +~~~~~~~~ + +When you report an issue, one of the project members will respond to you within +two days *at the outside*. In most cases responses will be faster, usually +within 12 hours. This initial response will confirm receipt of the report. + +If we were able to rapidly reproduce the issue, the initial response will also +contain confirmation of the issue. If we are not, we will often ask for more +information about the reproduction scenario. + +Our goal is to have a fix for any vulnerability released within two weeks of +the initial disclosure. This may potentially involve shipping an interim +release that simply disables function while a more mature fix can be prepared, +but will in the vast majority of cases mean shipping a complete release as soon +as possible. + +Throughout the fix process we will keep you up to speed with how the fix is +progressing. Once the fix is prepared, we will notify you that we believe we +have a fix. Often we will ask you to confirm the fix resolves the problem in +your environment, especially if we are not confident of our reproduction +scenario. + +At this point, we will prepare for the release. We will obtain a CVE number +if one is required, providing you with full credit for the discovery. We will +also decide on a planned release date, and let you know when it is. This +release date will *always* be on a weekday. + +At this point we will reach out to our major downstream packagers to notify +them of an impending security-related patch so they can make arrangements. +Currently the list of people we actively contact *ahead of a public release* +is: + +- Ralph Bean, Red Hat (@ralphbean) +- Daniele Tricoli, Debian (@eriol) + +We will notify these individuals at least a week ahead of our planned release +date to ensure that they have sufficient time to prepare. If you believe you +should be on this list, please let one of the maintainers know at one of the +email addresses at the top of this article. + +On release day, we will push the patch to our public repository, along with an +updated changelog that describes the issue and credits you. We will then issue +a PyPI release containing the patch. + +At this point, we will publicise the release. This will involve mails to +mailing lists, Tweets, and all other communication mechanisms available to the +core team. + +We will also explicitly mention which commits contain the fix to make it easier +for other distributors and users to easily patch their own versions of requests +if upgrading is not an option. + +Previous CVEs +------------- + +- Fixed in 2.6.0 + + - `CVE 2015-2296 `_, + reported by Matthew Daley of `BugFuzz `_. + +- Fixed in 2.3.0 + + - `CVE 2014-1829 `_ + + - `CVE 2014-1830 `_ \ No newline at end of file diff --git a/docs/index.rst b/docs/index.rst index 1701e7f2..b3edef68 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -116,6 +116,7 @@ Requests ecosystem and community. community/faq community/out-there.rst community/support + community/vulnerabilities community/updates API Documentation From bedd2be0a75c355229e43cb71bac398400d81e7a Mon Sep 17 00:00:00 2001 From: Cory Benfield Date: Wed, 18 Mar 2015 21:27:20 +0000 Subject: [PATCH 2/3] Clarify that we ship patches early. --- docs/community/vulnerabilities.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/community/vulnerabilities.rst b/docs/community/vulnerabilities.rst index 09e672ca..20e5cce6 100644 --- a/docs/community/vulnerabilities.rst +++ b/docs/community/vulnerabilities.rst @@ -63,9 +63,11 @@ also decide on a planned release date, and let you know when it is. This release date will *always* be on a weekday. At this point we will reach out to our major downstream packagers to notify -them of an impending security-related patch so they can make arrangements. -Currently the list of people we actively contact *ahead of a public release* -is: +them of an impending security-related patch so they can make arrangements. In +addition, these packagers will be provided with the intended patch ahead of +time, to ensure that they are able to promptly release their downstream +packages. Currently the list of people we actively contact *ahead of a public +release* is: - Ralph Bean, Red Hat (@ralphbean) - Daniele Tricoli, Debian (@eriol) From b7e33707627ed41531008a5a0d483437c3beed28 Mon Sep 17 00:00:00 2001 From: Cory Benfield Date: Wed, 18 Mar 2015 21:40:03 +0000 Subject: [PATCH 3/3] 'At least' --- docs/community/vulnerabilities.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/community/vulnerabilities.rst b/docs/community/vulnerabilities.rst index 20e5cce6..34444b2d 100644 --- a/docs/community/vulnerabilities.rst +++ b/docs/community/vulnerabilities.rst @@ -39,7 +39,8 @@ Timeline When you report an issue, one of the project members will respond to you within two days *at the outside*. In most cases responses will be faster, usually -within 12 hours. This initial response will confirm receipt of the report. +within 12 hours. This initial response will at the very least confirm receipt +of the report. If we were able to rapidly reproduce the issue, the initial response will also contain confirmation of the issue. If we are not, we will often ask for more