From dec66d325f485831d233630d4a82c257732a9e05 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 11 Mar 2021 17:38:51 +0000 Subject: [PATCH] docs: Add a policy for handling security issues This also gives details of how to report a security issue, including the key point that merge requests are (unfortunately) not confidential. Heavily based on the flatpak security policy which just landed: https://github.com/flatpak/flatpak/blob/master/SECURITY.md Signed-off-by: Philip Withnall --- SECURITY.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..4817af76c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,67 @@ +# Security policy for GLib + + * [Supported Versions](#Supported-Versions) + * [Reporting a Vulnerability](#Reporting-a-Vulnerability) + * [Security Announcements](#Security-Announcements) + * [Acknowledgements](#Acknowledgements) + +## Supported Versions + +Upstream GLib only supports the most recent stable release series, and the +current development release series. Any older stable release series are no +longer supported, although they may still receive backported security updates +in long-term support distributions. Such support is up to the distributions, +though. + +Under GLib’s versioning scheme, stable release series have an *even* minor +component (for example, 2.66.0, 2.66.1, 2.68.3), and development release series +have an *odd* minor component (2.67.1, 2.69.0). + +## Reporting a Vulnerability + +If you think you've identified a security issue in GLib, GObject or GIO, please +**do not** report the issue publicly via a mailing list, IRC, a public issue on +the GitLab issue tracker, a merge request, or any other public venue. + +Instead, report a +[*confidential* issue in the GitLab issue tracker](https://gitlab.gnome.org/GNOME/glib/-/issues/new?issue[confidential]=1), +with the “This issue is confidential” box checked. Please include as many +details as possible, including a minimal reproducible example of the issue, and +an idea of how exploitable/severe you think it is. + +**Do not** provide a merge request to fix the issue, as there is currently no +way to make confidential merge requests on gitlab.gnome.org. If you have patches +which fix the security issue, please attach them to your confidential issue as +patch files. + +Confidential issues are only visible to the reporter and the GLib maintainers. + +As per the [GNOME security policy](https://security.gnome.org/), the next steps +are then: + * The report is triaged. + * Code is audited to find any potential similar problems. + * If it is determined, in consultation with the submitter, that a CVE is + required, the submitter obtains one via [cveform.mitre.org](https://cveform.mitre.org/). + * The fix is prepared for the development branch, and for the most recent + stable branch. + * The fix is submitted to the public repository. + * On the day the issue and fix are made public, an announcement is made on the + [public channels listed below](#Security-Announcements). + * A new release containing the fix is issued. + +## Security Announcements + +Security announcements are made publicly via the +[`distributor` tag on discourse.gnome.org](https://discourse.gnome.org/tag/distributor) +and cross-posted to the +[distributor-list](https://mail.gnome.org/mailman/listinfo/distributor-list). + +Announcements for security issues with wide applicability or high impact may +additionally be made via +[oss-security@lists.openwall.com](https://www.openwall.com/lists/oss-security/). + +## Acknowledgements + +This text was partially based on the +[github.com/containers security policy](https://github.com/containers/common/blob/master/SECURITY.md), +and partially based on the [flatpak security policy](https://github.com/flatpak/flatpak/blob/master/SECURITY.md).