Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
N
nghttp2
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Libraries
nghttp2
Commits
32ac8bdf
Commit
32ac8bdf
authored
Jul 24, 2020
by
Tatsuhiro Tsujikawa
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add security process document
parent
7f92b1e0
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
41 additions
and
0 deletions
+41
-0
doc/Makefile.am
doc/Makefile.am
+1
-0
doc/security.rst
doc/security.rst
+1
-0
doc/sources/index.rst
doc/sources/index.rst
+1
-0
doc/sources/security.rst
doc/sources/security.rst
+38
-0
No files found.
doc/Makefile.am
View file @
32ac8bdf
...
...
@@ -203,6 +203,7 @@ EXTRA_DIST = \
sources/python-apiref.rst
\
sources/building-android-binary.rst
\
sources/contribute.rst
\
sources/security.rst
\
_exts/sphinxcontrib/LICENSE.rubydomain
\
_exts/sphinxcontrib/__init__.py
\
_exts/sphinxcontrib/rubydomain.py
\
...
...
doc/security.rst
0 → 100644
View file @
32ac8bdf
.. include:: ../doc/sources/security.rst
doc/sources/index.rst
View file @
32ac8bdf
...
...
@@ -18,6 +18,7 @@ Contents:
package_README
contribute
security
building-android-binary
tutorial-client
tutorial-server
...
...
doc/sources/security.rst
0 → 100644
View file @
32ac8bdf
Security Process
================
If you find a vulnerability in our software, please send the email to
"tatsuhiro.t at gmail dot com" about its details instead of submitting
issues on github issue page. It is a standard practice not to
disclose vulnerability information publicly until a fixed version is
released, or mitigation is worked out. In the future, we may setup a
dedicated mail address for this purpose.
If we identify that the reported issue is really a vulnerability, we
open a new security advisory draft using `GitHub security feature
<https://github.com/nghttp2/nghttp2/security>`_ and discuss the
mitigation and bug fixes there. The fixes are committed to the
private repository.
We write the security advisory and get CVE number from GitHub
privately. We also discuss the disclosure date to the public.
We make a new release with the fix at the same time when the
vulnerability is disclosed to public.
At least 7 days before the public disclosure date, we will post
security advisory (which includes all the details of the vulnerability
and the possible mitigation strategies) and the patches to fix the
issue to `distros@openwall
<https://oss-security.openwall.org/wiki/mailing-lists/distros>`_
mailing list. We also open a new issue on `nghttp2 issue tracker
<https://github.com/nghttp2/nghttp2/issues>`_ which notifies that the
upcoming release will have a security fix. The ``SECURITY`` label is
attached to this kind of issue.
Before few hours of new release, we merge the fixes to the master
branch (and/or a release branch if necessary) and make a new release.
Security advisory is disclosed on GitHub. We also post the
vulnerability information to `oss-secirty
<https://oss-security.openwall.org/wiki/mailing-lists/oss-security>`_
mailing list.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
