On submitting security (vulnerability) disclosures
15 views
Skip to first unread message
Tatu Saloranta
Jul 25, 2019, 11:01:33 PM7/25/19
to jacks...@googlegroups.com, jackson-user
Due to steady stream of Default Typing related reports on more known
"gadget types" (see
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
for background), I think it makes sense to clarify the procedure I
think works best.
First of all, a good first step is to send a note on
`in...@fasterxml.com`, explaining basics of what you think is the
problem. For most security conscious this can be quite generic and if
you really want to, can request my pgp key for sending more secure
communications. Or it can contain actual full description. Either way
is fine.
Once we establish that we (Jackson maintainers) consider this to be
security vulnerability worth reporting as a CVE, we will then ask
submitter (you) to request a CVE ID, using:
https://cve.mitre.org/cve/request_id.html
We may also proceed with verification and fix in the meantime.
There will be a Jackson(-databind, usually) issue as well, initially
with low-res details, but with more details once fix has been
released.
Above procedure is what submitters have followed so far, for the most
part; the main important clarification is the role of submitter as
requestor for cve id.
-+ Tatu +-
"gadget types" (see
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
for background), I think it makes sense to clarify the procedure I
think works best.
First of all, a good first step is to send a note on
`in...@fasterxml.com`, explaining basics of what you think is the
problem. For most security conscious this can be quite generic and if
you really want to, can request my pgp key for sending more secure
communications. Or it can contain actual full description. Either way
is fine.
Once we establish that we (Jackson maintainers) consider this to be
security vulnerability worth reporting as a CVE, we will then ask
submitter (you) to request a CVE ID, using:
https://cve.mitre.org/cve/request_id.html
We may also proceed with verification and fix in the meantime.
There will be a Jackson(-databind, usually) issue as well, initially
with low-res details, but with more details once fix has been
released.
Above procedure is what submitters have followed so far, for the most
part; the main important clarification is the role of submitter as
requestor for cve id.
-+ Tatu +-
Reply all
Reply to author
Forward
0 new messages