(r4) SecurityAlertProcess < Development

You are here: Foswiki>Development Web>SecurityAlertProcess (revision 4) (raw view)

---+!! Foswiki Security Alert Process

%TOC%

---++ I discovered a security issue. Now What?

%STARTSECTION{"report"}%
   * __%X% Important:__ In case you think that you discovered a security issue that could potentially compromise Foswiki installations, please send an e-mail to the Community.SecurityTaskTeam via the foswiki-security mailing list at mailto:foswiki-security@lists.sourceforge.net. We will follow up in a timely manner with a fix and will inform administrators before the issue gets public.

Note: You cannot subscribe to the foswiki-security mailing list. It is for the security team only. To keep yourself up to date with security announcements please subscribe to the [[http://foswiki.org/Community/MailingLists#foswiki_announce_Announcements_a][foswiki-announce mailing list]]
%ENDSECTION{"report"}%

---++ How can I get notified of security issues?

   * Please subscribe to the foswiki-announce mailing list to get updates on new Foswiki releases and Foswiki vulnerabilities in a timely manner. See Community.MailingLists for information about Foswiki mailing lists and how to subscribe to them.

---++ Security Alert Process

The Foswiki community is trying its best to provide a hotfix and to send Support.SecurityAlerts to Foswiki site administrators in a timely manner.

   * Someone sends an e-mail to the Community.SecurityTaskTeam via the foswiki-security mailing list at mailto:foswiki-security@lists.sourceforge.net
   * The Community.SecurityTaskTeam triages the seriousness of the issue:
      * Severity 1 issue: The web server can be compromised
         * Example: Software can be installed and executed remotely
         * Responsiveness goal: Fix and alert within 24 hours
      * Severity 2 issue: The Foswiki installation is compromised
         * Example: The access control of the admin group can be circumvented
         * Responsiveness goal: Fix and alert within 48 hours
      * Severity 3 issue: Foswiki content or browser is compromised
         * Responsiveness goal: Handle as bugs report in Tasks web, no alert
   * Action for Severity 1 and 2 issues:
      * Verify issue
      * Create hotfix for affected Foswiki production releases
      * Initial alert: Alert foswiki-announce and foswiki-discuss mailing list members
      * After 2 day grace period, avoiding weekend: Issue a public security advisory
      * Create a patched production release or a Hot Fix for the latest production release within 7 days
   * Action for Priority 3 issue:
      * File a bug report in Tasks web.
      * Fix in development branch for upcoming Foswiki production release

Note that the security team can choose to delay the initial alert a few days if the fix is relatively easy to implement so the announcement can happen with a full patch release.

---++ Security Alerts

   * Obtain a CVE number from Mitre.
   * [[WebCreateNewTopic][Create a new alert topic]] using SecurityAlertCVETemplate as template here in Development web. Make sure the name is !SecurityAlert-CVE-Num-ber where Num-ber is the number from Mitre.
   * Make sure the new alert is protected so only the security task team and admins can read it
   * When ready move the topic to the Support web and remove the read protection.

BasicForm edit

TopicClassification	AdminTopic
TopicSummary
InterestedParties

Topic revision: r4 - 11 Nov 2010, KennethLavrsen

Development

Quick Links

Tools

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement.