security disclosure procedure examples
346 views
Skip to first unread message
Lukas Kahwe Smith
Nov 26, 2014, 1:53:45 PM11/26/14
to php-fig-psr-...@googlegroups.com
Aloha,
here are some examples of security disclosure procedures I found on the web:
http://symfony.com/doc/current/contributing/code/security.html
http://framework.zend.com/security/
http://www.yiiframework.com/security/
https://www.drupal.org/security
http://codex.wordpress.org/FAQ_Security
http://www.sugarcrm.com/page/sugarcrm-security-policy/en
http://typo3.org/teams/security/
http://cakephp.org/development
http://www.concrete5.org/documentation/how-tos/editors/security-and-concrete5/
http://developer.joomla.org/security.html
http://wiki.horde.org/SecurityManagement
http://www.revive-adserver.com/support/bugs/
http://magento.com/security
http://www.apache.org/security/committers.html
anyone have any additional ones?
I will collect them in this thread and them move them over to the wiki eventually ..
regards,
Lukas Kahwe Smith
sm...@pooteeweet.org
here are some examples of security disclosure procedures I found on the web:
http://symfony.com/doc/current/contributing/code/security.html
http://framework.zend.com/security/
http://www.yiiframework.com/security/
https://www.drupal.org/security
http://codex.wordpress.org/FAQ_Security
http://www.sugarcrm.com/page/sugarcrm-security-policy/en
http://typo3.org/teams/security/
http://cakephp.org/development
http://www.concrete5.org/documentation/how-tos/editors/security-and-concrete5/
http://developer.joomla.org/security.html
http://wiki.horde.org/SecurityManagement
http://www.revive-adserver.com/support/bugs/
http://magento.com/security
http://www.apache.org/security/committers.html
anyone have any additional ones?
I will collect them in this thread and them move them over to the wiki eventually ..
regards,
Lukas Kahwe Smith
sm...@pooteeweet.org
padraic.brady
Nov 26, 2014, 2:17:31 PM11/26/14
to php-fig-psr-...@googlegroups.com
It might be no harm to include a few external examples (I see Apache in there already). For example, here's Mozilla's:
https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/
If anyone goes looking, you'll find examples are fairly disparate. Policies tend to evaporate not only due to lacking one, but also where projects already have a strong culture of responsible disclosure (the taken for granted factor ;)).
Paddy
https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/
If anyone goes looking, you'll find examples are fairly disparate. Policies tend to evaporate not only due to lacking one, but also where projects already have a strong culture of responsible disclosure (the taken for granted factor ;)).
Paddy
Lukas Kahwe Smith
Nov 28, 2014, 3:27:05 AM11/28/14
to padraic brady, php-fig-psr-...@googlegroups.com
> On 26 Nov 2014, at 20:17, padraic.brady <padrai...@gmail.com> wrote:
>
> It might be no harm to include a few external examples (I see Apache in there already). For example, here's Mozilla's:
> https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/
this process also makes me wonder if we should also cover security procedure discovery. ie. a defined URL scheme .. like "[project url]/security" or something like that
> If anyone goes looking, you'll find examples are fairly disparate. Policies tend to evaporate not only due to lacking one, but also where projects already have a strong culture of responsible disclosure (the taken for granted factor ;)).
Lukas Kahwe Smith
Dec 8, 2014, 8:11:23 AM12/8/14
to padraic brady, php-fig-psr-...@googlegroups.com
Aloha,
Going through the list to look for some inspirations and patterns. I tried to collect this with some diligence but I am sure I missed a few things and hopefully do not misrepresent too many projects :)
---
First up I noticed that half of the projects offer “[main domain]/security” as the source for their security disclosure information (or at least as a redirect to them)
* http://symfony.com/doc/current/contributing/code/security.html
* http://framework.zend.com/security/
* http://www.yiiframework.com/security/
* https://www.drupal.org/security
* http://www.revive-adserver.com/support/bugs/
* http://magento.com/security
* http://www.apache.org/security/committers.html
* https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/
these projects do not offer “[main domain]/security”
* http://codex.wordpress.org/FAQ_Security (no /security)
* http://www.sugarcrm.com/page/sugarcrm-security-policy/en (no /security)
* http://typo3.org/teams/security/ (no /security)
* http://cakephp.org/development (no /security)
* http://www.concrete5.org/developers/security/
* http://developer.joomla.org/security.html / http://developer.joomla.org/contact-security-team.html (no /security on the main domain)
* http://wiki.horde.org/SecurityManagement (no /security)
* http://www.openbsd.org/security.html (no redirect when .html is missing)
--
Projects that offer fairly detailed info about the actual procedures:
* Apache
* OpenBSD
* Mozilla.org
* Symfony
* Drupal
* Wordpress
* Magento
Interestingly only one project (Symfony) mentioned explicitly that the process includes getting a CVE identifier
---
Project offering bug bounties
* Magento
* Mozilla
—
Contacting:
* Most provide an email address like "security@[main domain]"
* Yii + Joomla provides a contact form (this seems highly risky, since the website itself is likely also hosted on code the same code base that might be affected)
* OpenBSD: personal email + public mailinglist
* ZendFramework uses zf-se...@zend.com
* SugarCRM uses sec...@sugarcrm.com
—
Methods for publishing security issues:
* Mailinglist : OpenBSD, Mailinglist, TYPO3, Horde
* Feed: ZendFramework, TYPO3, Drupal
* Blog: Symfony
* CVE: Symfony
* Dedicated page: Drupal, Joomla, ZendFramework
I assume all others at least list them in release notes
—
Going through the list to look for some inspirations and patterns. I tried to collect this with some diligence but I am sure I missed a few things and hopefully do not misrepresent too many projects :)
---
First up I noticed that half of the projects offer “[main domain]/security” as the source for their security disclosure information (or at least as a redirect to them)
* http://symfony.com/doc/current/contributing/code/security.html
* http://framework.zend.com/security/
* http://www.yiiframework.com/security/
* https://www.drupal.org/security
* http://www.revive-adserver.com/support/bugs/
* http://magento.com/security
* http://www.apache.org/security/committers.html
* https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/
these projects do not offer “[main domain]/security”
* http://codex.wordpress.org/FAQ_Security (no /security)
* http://www.sugarcrm.com/page/sugarcrm-security-policy/en (no /security)
* http://typo3.org/teams/security/ (no /security)
* http://cakephp.org/development (no /security)
* http://www.concrete5.org/developers/security/
* http://developer.joomla.org/security.html / http://developer.joomla.org/contact-security-team.html (no /security on the main domain)
* http://wiki.horde.org/SecurityManagement (no /security)
* http://www.openbsd.org/security.html (no redirect when .html is missing)
--
Projects that offer fairly detailed info about the actual procedures:
* Apache
* OpenBSD
* Mozilla.org
* Symfony
* Drupal
* Wordpress
* Magento
Interestingly only one project (Symfony) mentioned explicitly that the process includes getting a CVE identifier
---
Project offering bug bounties
* Magento
* Mozilla
—
Contacting:
* Most provide an email address like "security@[main domain]"
* Yii + Joomla provides a contact form (this seems highly risky, since the website itself is likely also hosted on code the same code base that might be affected)
* OpenBSD: personal email + public mailinglist
* ZendFramework uses zf-se...@zend.com
* SugarCRM uses sec...@sugarcrm.com
—
Methods for publishing security issues:
* Mailinglist : OpenBSD, Mailinglist, TYPO3, Horde
* Feed: ZendFramework, TYPO3, Drupal
* Blog: Symfony
* CVE: Symfony
* Dedicated page: Drupal, Joomla, ZendFramework
I assume all others at least list them in release notes
—
Reply all
Reply to author
Forward
0 new messages