User Tools

Site Tools


Security Bug Handling

The Apache Project’s vulnerability handling procedure is great and we use the same process.

No information should be made public about the vulnerability until it is formally announced at the end of this process. That means, for example that a JIRA issue must NOT be created to track the issue since that will make the issue public. Also the messages associated with any commits should not make ANY reference to the security nature of the commit.

  1. The person discovering the issue, the reporter, reports the vulnerability privately to
  2. Messages that do not relate to the reporting or managing of an undisclosed security vulnerability in Hyperledger software are ignored and no further action is required.
  3. The project team sends an e-mail to the original reporter to acknowledge the report.
  4. The project team investigates report and either rejects it or accepts it.
  5. If the report is rejected, the project team writes to the reporter to explain why.
  6. If the report is accepted, the project team writes to the reporter to let them know it is accepted and that they are working on a fix.
  7. The project team requests a CVE number from by sending an e-mail with the subject “CVE request for…” and providing a short (one line) description of the vulnerability. Guidance is available to determine if a report requires multiple CVEs or if multiple reports should be merged under a single CVE.
  8. The project team agrees the fix on their private list.
  9. The project team provides the reporter with a copy of the fix and a draft vulnerability announcement for comment.
  10. The project team agrees to the fix, the announcement and the release schedule with the reporter. For an example of an announcement see Tomcat's announcement of CVE-2008-2370. The level of detail to include in the report is a matter of judgement. Generally, reports should contain enough information to enable people to assess the risk associated with the vulnerability for their system and no more. Steps to reproduce the vulnerability are not normally included.
  11. The project team commits the fix. No reference should be made to the commit being related to a security vulnerability.
  12. The project team creates a release that includes the fix.
  13. The project team announces the release. The release announcement should be sent to the usual mailing lists (typically the project's user list, dev list, announce list and the Hyperledger announce list).
  14. The project team announces the vulnerability. The vulnerability announcement should be sent after the release announcement to the following destinations:
    1. the same destinations as the release announcement
    2. the vulnerability reporter
    3. the project's security list (or the if the project does not have a dedicated security list). When posting to mailing lists it is strongly recommended that an appropriate reply-to (e.g. the project's user mailing list) is set. Note that the external addressees have their own posting rules and you may need to use a separate e-mail for each in order to comply with these rules.
    4. and use “Notify CVE about a publication”. You should use your e-mail address when submitting the form. Submissions should be in the following format:
      [PRODUCT]:Apache Tomcat
      [VERSION]:9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, 7.0.0 to 7.0.75
      [PROBLEMTYPE]:Information Disclosure
      [DESCRIPTION]:While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
  15. The project's security pages should also be updated.
  16. This is the first point that any information regarding the vulnerability is made public.
  17. The log for the git commit that applied the fix is updated to include the CVE number. Projects that use git as their primary source code control system should not do this as editing a pushed commit causes all sorts of problems.

Information may be shared with domain experts (eg colleagues at your employer) at the discretion of the project's security team providing that it is made clear that the information is not for public disclosure and that or the project's security mailing list must be copied on any communication regarding the vulnerability.

security/bug-handling-process.txt · Last modified: 2017/06/20 01:22 by Tracy Kuhrt