diff options
author | Philip Withnall <pwithnall@endlessos.org> | 2021-03-11 17:38:51 +0000 |
---|---|---|
committer | Philip Withnall <pwithnall@endlessos.org> | 2021-03-11 17:38:51 +0000 |
commit | dec66d325f485831d233630d4a82c257732a9e05 (patch) | |
tree | e0cb0e102ff374ed58ba7647416b9bb81892e686 | |
parent | b3384e5797de3226224927190e9f7cd0973ac168 (diff) | |
download | glib-dec66d325f485831d233630d4a82c257732a9e05.tar.gz |
docs: Add a policy for handling security issues
This also gives details of how to report a security issue, including the
key point that merge requests are (unfortunately) not confidential.
Heavily based on the flatpak security policy which just landed:
https://github.com/flatpak/flatpak/blob/master/SECURITY.md
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
-rw-r--r-- | SECURITY.md | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..4817af76c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,67 @@ +# Security policy for GLib + + * [Supported Versions](#Supported-Versions) + * [Reporting a Vulnerability](#Reporting-a-Vulnerability) + * [Security Announcements](#Security-Announcements) + * [Acknowledgements](#Acknowledgements) + +## Supported Versions + +Upstream GLib only supports the most recent stable release series, and the +current development release series. Any older stable release series are no +longer supported, although they may still receive backported security updates +in long-term support distributions. Such support is up to the distributions, +though. + +Under GLib’s versioning scheme, stable release series have an *even* minor +component (for example, 2.66.0, 2.66.1, 2.68.3), and development release series +have an *odd* minor component (2.67.1, 2.69.0). + +## Reporting a Vulnerability + +If you think you've identified a security issue in GLib, GObject or GIO, please +**do not** report the issue publicly via a mailing list, IRC, a public issue on +the GitLab issue tracker, a merge request, or any other public venue. + +Instead, report a +[*confidential* issue in the GitLab issue tracker](https://gitlab.gnome.org/GNOME/glib/-/issues/new?issue[confidential]=1), +with the “This issue is confidential” box checked. Please include as many +details as possible, including a minimal reproducible example of the issue, and +an idea of how exploitable/severe you think it is. + +**Do not** provide a merge request to fix the issue, as there is currently no +way to make confidential merge requests on gitlab.gnome.org. If you have patches +which fix the security issue, please attach them to your confidential issue as +patch files. + +Confidential issues are only visible to the reporter and the GLib maintainers. + +As per the [GNOME security policy](https://security.gnome.org/), the next steps +are then: + * The report is triaged. + * Code is audited to find any potential similar problems. + * If it is determined, in consultation with the submitter, that a CVE is + required, the submitter obtains one via [cveform.mitre.org](https://cveform.mitre.org/). + * The fix is prepared for the development branch, and for the most recent + stable branch. + * The fix is submitted to the public repository. + * On the day the issue and fix are made public, an announcement is made on the + [public channels listed below](#Security-Announcements). + * A new release containing the fix is issued. + +## Security Announcements + +Security announcements are made publicly via the +[`distributor` tag on discourse.gnome.org](https://discourse.gnome.org/tag/distributor) +and cross-posted to the +[distributor-list](https://mail.gnome.org/mailman/listinfo/distributor-list). + +Announcements for security issues with wide applicability or high impact may +additionally be made via +[oss-security@lists.openwall.com](https://www.openwall.com/lists/oss-security/). + +## Acknowledgements + +This text was partially based on the +[github.com/containers security policy](https://github.com/containers/common/blob/master/SECURITY.md), +and partially based on the [flatpak security policy](https://github.com/flatpak/flatpak/blob/master/SECURITY.md). |