diff options
| author | Elliott Hughes <enh@google.com> | 2018-10-30 11:28:38 -0700 |
|---|---|---|
| committer | Elliott Hughes <enh@google.com> | 2018-10-30 11:28:38 -0700 |
| commit | b1ef70f7d9fdfa1431b948df6ae7bb0b15966dee (patch) | |
| tree | 24facefd22d2ca56694f740049660701da90ee9a /docs/SECURITY-PROCESS.md | |
| parent | 8c49d19ccbe7df4ce7b150f5d92eaddcc7f369df (diff) | |
| download | external_curl-b1ef70f7d9fdfa1431b948df6ae7bb0b15966dee.tar.gz external_curl-b1ef70f7d9fdfa1431b948df6ae7bb0b15966dee.tar.bz2 external_curl-b1ef70f7d9fdfa1431b948df6ae7bb0b15966dee.zip | |
Update to curl 7.61.1 - September 5 2018.
Bug: N/A
Test: builds, boots, `vendor/google/tools/fake-ota on streaming` works
Change-Id: Ic8598fc9d0bc029640ea3cbcecf4820d1de8f6ae
Diffstat (limited to 'docs/SECURITY-PROCESS.md')
| -rw-r--r-- | docs/SECURITY-PROCESS.md | 34 |
1 files changed, 15 insertions, 19 deletions
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md index 4991d5fb..6ef7757c 100644 --- a/docs/SECURITY-PROCESS.md +++ b/docs/SECURITY-PROCESS.md @@ -90,18 +90,6 @@ announcement. - The security web page on the web site should get the new vulnerability mentioned. -Pre-notification ----------------- - -If you think you are or should be eligible for a pre-notification about -upcoming security announcements for curl, we urge OS distros and similar -vendors to primarily join the distros@openwall list as that is one of the -purposes of that list - and not just for curl of course. - -If you are not a distro or otherwise not suitable for distros@openwall and yet -want pre-notifications from us, contact the curl security team with a detailed -and clear explanation why this is the case. - curl-security (at haxx dot se) ------------------------------ @@ -121,19 +109,27 @@ Publishing Security Advisories 1. Write up the security advisory, using markdown syntax. Use the same subtitles as last time to maintain consistency. -2. Name the advisory file (and ultimately the URL to be used when the flaw - gets published), using a randomized component so that third parties that - are involved in the process for each individual flaw will not be given - insights about possible *other* flaws worked on in parallel. - `adv_YEAR_RANDOM.md` has been used before. +2. Name the advisory file after the allocated CVE id. 3. Add a line on the top of the array in `curl-www/docs/vuln.pm'. 4. Put the new advisory markdown file in the curl-www/docs/ directory. Add it - to the git repo. Update the Makefile in the same directory to build the - HTML representation. + to the git repo. 5. Run `make` in your local web checkout and verify that things look fine. 6. On security advisory release day, push the changes on the curl-www repository's remote master branch. + +Hackerone Internet Bug Bounty +----------------------------- + +The curl project does not run any bounty program on its own, but there are +outside organizations that do. First report your issue the normal way and +proceed as described in this document. + +Then, if the issue is [critical](https://hackerone.com/ibb-data), you are +eligible to apply for a bounty from Hackerone for your find. + +Once your reported vulnerability has been publicly disclosed by the curl +project, you can submit a [report to them](https://hackerone.com/ibb-data).
\ No newline at end of file |