diff --git a/doc/Makefile.am b/doc/Makefile.am index f073bfa4..5a925057 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -203,6 +203,7 @@ EXTRA_DIST = \ sources/python-apiref.rst \ sources/building-android-binary.rst \ sources/contribute.rst \ + sources/security.rst \ _exts/sphinxcontrib/LICENSE.rubydomain \ _exts/sphinxcontrib/__init__.py \ _exts/sphinxcontrib/rubydomain.py \ diff --git a/doc/security.rst b/doc/security.rst new file mode 100644 index 00000000..00b0c9cb --- /dev/null +++ b/doc/security.rst @@ -0,0 +1 @@ +.. include:: ../doc/sources/security.rst diff --git a/doc/sources/index.rst b/doc/sources/index.rst index c8f688d3..b22dd1fc 100644 --- a/doc/sources/index.rst +++ b/doc/sources/index.rst @@ -18,6 +18,7 @@ Contents: package_README contribute + security building-android-binary tutorial-client tutorial-server diff --git a/doc/sources/security.rst b/doc/sources/security.rst new file mode 100644 index 00000000..6134cd7e --- /dev/null +++ b/doc/sources/security.rst @@ -0,0 +1,38 @@ +Security Process +================ + +If you find a vulnerability in our software, please send the email to +"tatsuhiro.t at gmail dot com" about its details instead of submitting +issues on github issue page. It is a standard practice not to +disclose vulnerability information publicly until a fixed version is +released, or mitigation is worked out. In the future, we may setup a +dedicated mail address for this purpose. + +If we identify that the reported issue is really a vulnerability, we +open a new security advisory draft using `GitHub security feature +`_ and discuss the +mitigation and bug fixes there. The fixes are committed to the +private repository. + +We write the security advisory and get CVE number from GitHub +privately. We also discuss the disclosure date to the public. + +We make a new release with the fix at the same time when the +vulnerability is disclosed to public. + +At least 7 days before the public disclosure date, we will post +security advisory (which includes all the details of the vulnerability +and the possible mitigation strategies) and the patches to fix the +issue to `distros@openwall +`_ +mailing list. We also open a new issue on `nghttp2 issue tracker +`_ which notifies that the +upcoming release will have a security fix. The ``SECURITY`` label is +attached to this kind of issue. + +Before few hours of new release, we merge the fixes to the master +branch (and/or a release branch if necessary) and make a new release. +Security advisory is disclosed on GitHub. We also post the +vulnerability information to `oss-secirty +`_ +mailing list.