Trac is being migrated to new services! Issues can be found in our new YouTrack instance and WIKI pages can be found on our website.

Changes between Version 3 and Version 4 of SecurityVulnerabilityProcess


Ignore:
Timestamp:
Sep 22, 2009, 6:37:51 AM (14 years ago)
Author:
MarkDoliner
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • SecurityVulnerabilityProcess

    v3 v4  
    22If you think you've found a bug in Pidgin, Finch or libpurple that could potentially be exploited in a way that could harm users or prevent them from using the program (e.g. a remotely triggerable crash), please do not disclose the information publicly!  Please do not tell people on the Pidgin devel mailing list, in the Pidgin IRC channel, or in the Pidgin Jabber conference room.
    33
    4 Instead, send an email to security@pidgin.im.  Emails to this alias are sent to a core group of developers who will review the problem and take appropriate action.
     4Instead, send an email to security@pidgin.im.  Emails to this address are sent to a core group of developers who will review the problem and take appropriate action.
    55
    6 = Process =
    7  1a. If the bug is reported to the security@pidgin.im mailing list, reply to the reporter with an email based on this template:
    8   Thank you for reporting this problem to us!  We will investigate it and make an appropriate fix.  In the mean time, we ask that you please not disclose the problem to the public, yet!  Please provide us with the following information: TODO
    9  1b. If the bug has already been announced publicly (on devel mailing list, IRC, or Jabber conference), send all information about the bug to security@pidgin.im
    10  2. The developers on the security email alias should determine an appropriate fix and create a patch.
    11  3. Once an agreed upon patch has been created, an email based on this template should be sent to the packagers mailing list:
     6= Process for Developers =
     7 1.
     8  a) When a bug is reported to the security@pidgin.im mailing list, reply to the reporter with an email based on this template:
     9     Thank you for reporting this problem to us!  We will investigate it and make an appropriate fix.  In the mean time, we ask that you please not disclose the problem to the public, yet!  Please provide us with the following information: TODO
     10  b) If the bug has already been announced publicly (on devel mailing list, IRC, or Jabber conference), send all information about the bug to security@pidgin.im
     11 2. Developers on the security email list should determine an appropriate fix and create a patch.
     12 1. Once an agreed upon patch has been created, an email based on this template should be sent to the packagers mailing list:
    1213  Subject: Security Vulnerability
    1314  Body: A security vulnerability has been discovered in [Pidgin|Finch|libpurple|other]
    1415  Affected software: [e.x. "Pidgin 2.4.2-2.6.0", or "All clients based on libpurple 2.3.3-2.3.7"]
    1516  Discovered by: [Name of company or individual]
    16   Public: [yes or no]
     17  Public: ["no" or "yes as of YYYY-MM-DD"]
    1718  Embargo date: [Either "none" or the agreed upon date]
    18 4. Announce to the world, create new packages, update security page
     19 1. Announce to the world, create new packages, update security page
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!