Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

CONTRIBUTING.md: Vulnerability reporting instructions and criteria #43

Merged
merged 1 commit into from
Jul 23, 2018
Merged

CONTRIBUTING.md: Vulnerability reporting instructions and criteria #43

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# Reporting Vulnerabilities

To add an advisory to the RustSec database, open a [Pull Request] against
this repository containing the new advisory:

1. Create a file named `RUSTSEC-0000-0000.toml` in the `crates/<yourcratename>`
subdirectory of this repository (you may need to create it if it doesn't exist)
2. Copy and paste the [TOML advisory template] from the README.md file in this repo.
Delete the comments and additional whitespace, and fill it out with the
details of the advisory.
3. Open a [Pull Request]. After being reviewed your advisory will be assigned
a `RUSTSEC-*` advisory identifier and be published to the database.
4. (Optional, but recommended) Request a CVE for your vulnerability:
https://iwantacve.org/

[Pull Request]: https://github.com/RustSec/advisory-db/pulls
[TOML advisory template]: https://github.com/RustSec/advisory-db#format

## Criteria

RustSec is a database of security vulnerabilities. The following are
examples of qualifying vulnerabilities:

* Code Execution (i.e. RCE)
* Memory Corruption
* Privilege Escalation (either at OS level or inside of an app/library)
* File Disclosure / Directory Traversal
* Web Security (e.g. XSS, CSRF)
* Format Injection, e.g. shell escaping, SQL injection (and also XSS)
* Cryptography Failure (e.g. confidentiality breakage, integrity breakage, key leakage)
* Covert Channels (e.g. Spectre, Meltdown)
* Panics in code advertised as "panic-free" (particularly if useful for network DoS attacks)

When in doubt, please open a PR.

## FAQ

**Q: Do I need to be owner of a crate to file an advisory?**

A: No, anyone can file an advisory against any crate. The legitimacy of
vulnerabilities will be determined prior to merging. If a vulnerability
turns out to be fake it will be removed from the database.

**Q: Can I file an advisory without creating a pull request?**

A: Yes, instead of creating a full advisory yourself you can also
[open an issue on the advisory-db repo]: https://github.com/RustSec/advisory-db/issues
or email information about the vulnerability to
[rustsec@googlegroups.com](mailto:rustsec@googlegroups.com).

**Q: Does this project have a GPG key or other means of handling embargoed vulnerabilities?**

A: We do not presently handle embargoed vulnerabilities. Please ensure embargoes
have been lifted and details have been disclosed to the public prior to filing
them against RustSec.