[Projects] responsible disclosure

Even Rouault even.rouault at spatialys.com
Sat Jun 27 15:50:27 PDT 2015


Le dimanche 28 juin 2015 00:03:20, Jody Garnett a écrit :
> Wanted to bring up an idea for OSGeo projects around the responsible
> disclosure of security vulnerabilities.
> 
> I have some working notes in a blog post here
> <http://blog.geoserver.org/2015/06/27/geoserver-xee-vulnerability/> that
> will be making their way into the geoserver developers guide and website:
> 
> *Responsible Disclosure*
> 
> > If you encounter a security vulnerability in GeoServer, or any other open
> > source software, please take care to report the issue in a responsible
> > 
> > fashion:
> >    - Keep exploit details out of issue report (send to developer/PSC
> >    privately – just like you would do for sensitive sample data)

Shouldn't the whole report be private ? Even without the exploit itself, 
mentionning the vulnerability class could already be sufficient for ill 
intentioned people to figure out the exploit. Especially with XEE where the 
attack vectors are "standardized". If it is "arbitrary code executation" then 
I agree it doesn't tell much by itself about how to exploit it.


> >    - Be prepared to work with Project Steering Committee (PSC) members on
> >    a solution
> >    - Keep in mind PSC members are volunteers and an extensive fix may
> >    require fundraising / resources
> > 
> > If you are not in position to communicate in public (or make use of the
> > issue tracker) please consider commercial support
> > <http://geoserver.org/support/>, contacting a PSC member
> > <http://docs.geoserver.org/latest/en/developer/policies/psc.html#current-
> > psc> privately or contacting us via the Open Source Geospatial Foundation
> > at
> > info at osgeo.org.
> 
> While I would hope some of the above is common sense, please consider your
> projects guidelines (perhaps something like the above would be
> appropriate).
> 
> Aside: I have taken the liberty of using info at osgeo.org as a contact point
> for the GeoServer PSC as it is a public email address suitable for
> communication. In the past Jeff (or others) have been kind enough to make
> an appropriate introduction to a member of the GeoServer PSC.
> 
> Any feedback/discussion welcome.
> --
> Jody Garnett

-- 
Spatialys - Geospatial professional services
http://www.spatialys.com


More information about the Projects mailing list