responsible disclosure

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

responsible disclosure

jody.garnett
Wanted to bring up an idea for OSGeo projects around the responsible disclosure of security vulnerabilities.

I have some working notes in a blog post here that will be making their way into the geoserver developers guide and website:

Responsible Disclosure 

If you encounter a security vulnerability in GeoServer, or any other open source software, please take care to report the issue in a responsible fashion:
  • Keep exploit details out of issue report (send to developer/PSC privately – just like you would do for sensitive sample data)
  • Be prepared to work with Project Steering Committee (PSC) members on a solution
  • Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources
If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at [hidden email].

While I would hope some of the above is common sense, please consider your projects guidelines (perhaps something like the above would be appropriate).

Aside: I have taken the liberty of using [hidden email] as a contact point for the GeoServer PSC as it is a public email address suitable for communication. In the past Jeff (or others) have been kind enough to make an appropriate introduction to a member of the GeoServer PSC.

Any feedback/discussion welcome.
--
Jody Garnett

_______________________________________________
Projects mailing list
[hidden email]
http://lists.osgeo.org/cgi-bin/mailman/listinfo/projects
Reply | Threaded
Open this post in threaded view
|

Re: responsible disclosure

Even Rouault-2
Le dimanche 28 juin 2015 00:03:20, Jody Garnett a écrit :

> Wanted to bring up an idea for OSGeo projects around the responsible
> disclosure of security vulnerabilities.
>
> I have some working notes in a blog post here
> <http://blog.geoserver.org/2015/06/27/geoserver-xee-vulnerability/> that
> will be making their way into the geoserver developers guide and website:
>
> *Responsible Disclosure*
>
> > If you encounter a security vulnerability in GeoServer, or any other open
> > source software, please take care to report the issue in a responsible
> >
> > fashion:
> >    - Keep exploit details out of issue report (send to developer/PSC
> >    privately – just like you would do for sensitive sample data)

Shouldn't the whole report be private ? Even without the exploit itself,
mentionning the vulnerability class could already be sufficient for ill
intentioned people to figure out the exploit. Especially with XEE where the
attack vectors are "standardized". If it is "arbitrary code executation" then
I agree it doesn't tell much by itself about how to exploit it.


> >    - Be prepared to work with Project Steering Committee (PSC) members on
> >    a solution
> >    - Keep in mind PSC members are volunteers and an extensive fix may
> >    require fundraising / resources
> >
> > If you are not in position to communicate in public (or make use of the
> > issue tracker) please consider commercial support
> > <http://geoserver.org/support/>, contacting a PSC member
> > <http://docs.geoserver.org/latest/en/developer/policies/psc.html#current-
> > psc> privately or contacting us via the Open Source Geospatial Foundation
> > at
> > [hidden email].
>
> While I would hope some of the above is common sense, please consider your
> projects guidelines (perhaps something like the above would be
> appropriate).
>
> Aside: I have taken the liberty of using [hidden email] as a contact point
> for the GeoServer PSC as it is a public email address suitable for
> communication. In the past Jeff (or others) have been kind enough to make
> an appropriate introduction to a member of the GeoServer PSC.
>
> Any feedback/discussion welcome.
> --
> Jody Garnett

--
Spatialys - Geospatial professional services
http://www.spatialys.com
_______________________________________________
Projects mailing list
[hidden email]
http://lists.osgeo.org/cgi-bin/mailman/listinfo/projects