|
Packit |
56e23f |
The libseccomp Security Vulnerability Handling Process
|
|
Packit |
56e23f |
===============================================================================
|
|
Packit |
56e23f |
https://github.com/seccomp/libseccomp
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
This document document attempts to describe the processes through which
|
|
Packit |
56e23f |
sensitive security relevant bugs can be responsibly disclosed to the libseccomp
|
|
Packit |
56e23f |
project and how the project maintainers should handle these reports. Just like
|
|
Packit |
56e23f |
the other libseccomp process documents, this document should be treated as a
|
|
Packit |
56e23f |
guiding document and not a hard, unyielding set of regulations; the bug
|
|
Packit |
56e23f |
reporters and project maintainers are encouraged to work together to address
|
|
Packit |
56e23f |
the issues as best they can, in a manner which works best for all parties
|
|
Packit |
56e23f |
involved.
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
### Reporting Problems
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
Problems with the libseccomp library that are not suitable for immediate public
|
|
Packit |
56e23f |
disclosure should be emailed to the current libseccomp maintainers, the list is
|
|
Packit |
56e23f |
below. We typically request at most a 90 day time period to address the issue
|
|
Packit |
56e23f |
before it is made public, but we will make every effort to address the issue as
|
|
Packit |
56e23f |
quickly as possible and shorten the disclosure window.
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
* Paul Moore, paul@paul-moore.com
|
|
Packit |
56e23f |
* Tom Hromatka, tom.hromatka@oracle.com
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
### Resolving Sensitive Security Issues
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
Upon disclosure of a bug, the maintainers should work together to investigate
|
|
Packit |
56e23f |
the problem and decide on a solution. In order to prevent an early disclosure
|
|
Packit |
56e23f |
of the problem, those working on the solution should do so privately and
|
|
Packit |
56e23f |
outside of the traditional libseccomp development practices. One possible
|
|
Packit |
56e23f |
solution to this is to leverage the GitHub "Security" functionality to create a
|
|
Packit |
56e23f |
private development fork that can be shared among the maintainers, and
|
|
Packit |
56e23f |
optionally the reporter. A placeholder GitHub issue may be created, but
|
|
Packit |
56e23f |
details should remain extremely limited until such time as the problem has been
|
|
Packit |
56e23f |
fixed and responsibly disclosed. If a CVE, or other tag, has been assigned to
|
|
Packit |
56e23f |
the problem, the GitHub issue title should include the vulnerability tag once
|
|
Packit |
56e23f |
the problem has been disclosed.
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
### Public Disclosure
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
Whenever possible, responsible reporting and patching practices should be
|
|
Packit |
56e23f |
followed, including notification to the linux-distros and oss-security mailing
|
|
Packit |
56e23f |
lists.
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
* https://oss-security.openwall.org/wiki/mailing-lists/distros
|