Trac is being migrated to new services! Issues can be found in our new
YouTrack instance and WIKI pages can be found on our
website.
- Timestamp:
-
Dec 19, 2009, 5:24:46 PM (14 years ago)
- Author:
-
MarkDoliner
- Comment:
-
--
Legend:
- Unmodified
- Added
- Removed
- Modified
-
v5
|
v6
|
|
1 | 1 | = How to Report a Security Vulnerability = |
2 | | If you think you've found a bug in Pidgin, Finch or libpurple that could potentially be exploited in a way that could harm users or prevent them from using the program (e.g. a remotely triggerable crash), please do not disclose the information publicly! Please do not tell people on the Pidgin devel mailing list, in the Pidgin IRC channel, or in the Pidgin Jabber conference room. |
| 2 | If you think you've found a bug in our software that could be exploited in a way that could harm users or prevent them from using the software (e.g. a remotely triggerable crash): |
| 3 | * DO NOT disclose the information publicly |
| 4 | * DO NOT tell people on our mailing lists |
| 5 | * DO NOT tell people in our IRC channel or our Jabber conference room |
| 6 | * DO send an email to security@pidgin.im. Emails to this address are sent to a core group of developers who will review the problem and take appropriate action. |
3 | 7 | |
4 | | Instead, send an email to security@pidgin.im. Emails to this address are sent to a core group of developers who will review the problem and take appropriate action. |
| 8 | When reporting a problem to security@pidgin.im, please provide this information: |
| 9 | * The version of Pidgin, libpurple, finch, or other package in which the problem was discovered. |
| 10 | * A concise description of the problem, including a summary of why you believe it is security-critical. This might be, for example, "Receipt of an invalid XMPP message containing the tag <foo> causes Pidgin to write data to an invalid memory location." |
| 11 | * Steps to reproduce the problem, if known. |
| 12 | * Any debugging information, including backtraces (see [wiki:GetABacktrace our instructions for obtaining a backtrace]), a debug log (the output of pidgin -d), etc. |
| 13 | * Any proof of concept exploits, debugging tools, or other information you have and are willing to divulge. |
| 14 | * The oldest and newest versions of our software affected by the bug to the best of your knowledge. If you don't know, that's fine — we'll try to find out. |
| 15 | * Information on any security reports or vulnerability assessments you may have already made on the issue (preferably not yet public, as mentioned above). |
| 16 | * Any proposed embargo dates, release schedules, etc. you or your organization may have established. |
| 17 | |
5 | 18 | |
6 | 19 | = Process for Developers = |
7 | | 1. Acknowledge receipt of the bug. |
8 | | a. When a bug is reported to the security@pidgin.im mailing list, reply to the reporter with an email based on this template: |
| 20 | When a developer is made aware of a security vulnerability, follow these steps: |
| 21 | 1. Acknowledge receipt the bug report. |
| 22 | a. If the bug is reported only to security@pidgin.im, reply to the reporter with an email based on this template: |
9 | 23 | {{{ |
10 | | Thank you for reporting this problem to us! |
11 | | We will investigate it and make an appropriate fix. |
12 | | In the mean time, we ask that you please not disclose the problem to the public, yet! |
13 | | Please provide us with the following information: TODO |
| 24 | Thank you for reporting this problem to us! |
| 25 | |
| 26 | We take security problems very seriously. We will verify that this |
| 27 | is indeed a problem and release an appropriate fix as soon as |
| 28 | possible. In the mean time, please do not disclose the problem to |
| 29 | the public! We prefer to work work with distributors of our |
| 30 | software to allow them to build a fixed package before the problem |
| 31 | is announced publicly. |
| 32 | |
| 33 | Please provide us with the following information: |
| 34 | [any items from the above list that were missing from the original email] |
14 | 35 | }}} |
15 | | a. If the bug has already been announced publicly (on devel mailing list, IRC, or Jabber conference), send all information about the bug to security@pidgin.im |
16 | | 1. Developers on the security email list should determine an appropriate fix and create a patch. |
17 | | 1. Once an agreed upon patch has been created, an email based on this template should be sent to the packagers mailing list: |
| 36 | b. If the bug has already been announced publicly (on devel mailing list, IRC, or Jabber conference), send all information about the bug to security@pidgin.im |
| 37 | 2. Developers on the security email list should determine an appropriate fix and create a patch. |
| 38 | 2. Once an agreed upon patch has been created, an email based on this template should be sent to the packagers mailing list: |
18 | 39 | {{{ |
19 | | Subject: Security Vulnerability |
20 | | Body: A security vulnerability has been discovered in [Pidgin|Finch|libpurple|other] |
21 | | Affected software: [e.x. "Pidgin 2.4.2-2.6.0", or "All clients based on libpurple 2.3.3-2.3.7"] |
22 | | Discovered by: [Name of company or individual] |
23 | | Public: ["no" or "yes as of YYYY-MM-DD"] |
24 | | Embargo date: [Either "none" or the agreed upon date] |
| 40 | A security vulnerability has been discovered in [Pidgin|Finch|libpurple|other] |
| 41 | Affected software: [e.x. "Pidgin 2.4.2-2.6.0", or "All clients based on libpurple 2.3.3-2.3.7"] |
| 42 | Discovered by: [Name of company or individual] |
| 43 | Public: ["no" or "yes as of YYYY-MM-DD"] |
| 44 | Embargo date: [Either "none" or the agreed upon date] |
25 | 45 | }}} |
26 | | 1. Announce to the world, create new packages, update security page |
| 46 | 2. Announce to the world, create new packages, update security page |
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!