rubysec.github.io icon indicating copy to clipboard operation
rubysec.github.io copied to clipboard
verified publisher icon rubysec

Add documentation for reporting vulnerabilities

Open postmodern opened this issue 12 years ago • 15 comments

Document the steps to report a vulnerability.

  1. OSVDB: email [email protected] and/or message @osvdb on GitHub or Twitter.
  2. Request a CVE from oss-sec mailing list or reserve a CVE from MITRE.
  3. Once OSVDB or CVE have been obtained, send advisory to [email protected].

postmodern avatar Dec 12 '13 05:12 postmodern

+1. this would be very useful. i don't know anything about how this works, and I expect others in ruby don't as well.

ghost avatar Dec 12 '13 12:12 ghost

+1

jordimassaguerpla avatar Dec 12 '13 12:12 jordimassaguerpla

Also how maintainers should notify users? Recommend all to sign up to a rubysec list on librelist? Subscribe an rss? Follow [ANN SEC] on ruby-talk? irc channel rubysec on freenode? Twitter?

Would be great to subscribe to gems you use for notifications.. but that's a more complicated feature. However, it's sort of already implemented in the rubygems.org site where you can subscribe to gems. Now just need to notify of vulns.

cc @drbrain

bf4 avatar Dec 12 '13 13:12 bf4

I can update the rubygems security guide once this is up to date

bf4 avatar Dec 12 '13 13:12 bf4

Maybe gems-status-web could be of help here. see:

https://github.com/jordimassaguerpla/gems-status-web/blob/master/README.md

You can get notifications on your gems (based on a Gemfile file) and the software gets alerts from different sources: mailing lists and commits on upstream.

jordimassaguerpla avatar Dec 12 '13 14:12 jordimassaguerpla

For the record, there are several hosted tools that can help keep users updated too. (Gemnasium and gemcanary)

dwradcliffe avatar Dec 12 '13 14:12 dwradcliffe

also bundler-audit may be of your interest

https://github.com/postmodern/bundler-audit

jordimassaguerpla avatar Dec 12 '13 14:12 jordimassaguerpla

@bf4 for general RubyGems security announcements, I believe [email protected] is the right place.

postmodern avatar Dec 12 '13 22:12 postmodern

@postmodern how does one accomplish:

Request a CVE from oss-sec mailing list or reserve a CVE from MITRE

Is there a template people can use? Ditto re: osvdb email.

phillmv avatar Dec 17 '13 15:12 phillmv

For requesting a CVE from MITRE: http://cve.mitre.org/cve/request_id.html

postmodern avatar Dec 17 '13 20:12 postmodern

Or publicly on oss-security: https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

ghost avatar Dec 17 '13 20:12 ghost

There's also http://guides.rubygems.org/security/#reporting-security-vulnerabilities as well, though it's a bit outdated (I'm working on fixing).

reedloden avatar Jul 15 '15 09:07 reedloden

I submitted https://github.com/rubygems/guides/pull/134 to get the rubygems guide page updated.

Basically, the steps I see that need to be followed are:

  1. Request a CVE (via e-mail to one of the addresses on https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve)
  2. Release new version of gem
  3. Send an email to several lists including [email protected], [email protected], and [email protected] outlining the vulnerability, which versions of your gem it affects, and what actions those depending on the gem should take (generally, just what version(s) of the gem they need to update to). Make sure to use a subject that includes the gem name, some short summary of the vulnerability, and the CVE ID if you have one.
  4. Forward the e-mail you just sent for the above to [email protected] to get an OSVDB ID assigned.
  5. Submit a PR (or just file an issue) for adding the vulnerability to https://github.com/rubysec/ruby-advisory-db/.

Could move step 4 up to after step 1... Really depends on whether blocking on MITRE / OSVDB is appropriate.

reedloden avatar Aug 03 '15 00:08 reedloden

Get the CVE as early as possible, otherwise everyone has to go back and update their report, if the CVE goes out with the initial report it makes life soooo much easier later. Depending on the severity of the issue blocking/not blocking may be appropriate.

On Sun, Aug 2, 2015 at 6:14 PM, Reed Loden [email protected] wrote:

I submitted rubygems/guides#134 https://github.com/rubygems/guides/pull/134 to get the rubygems guide page updated.

Basically, the steps I see that need to be followed are:

  1. Request a CVE (via e-mail to one of the addresses on https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve)
  2. Release new version of gem
  3. Send an email to several lists including [email protected], [email protected], and [email protected] outlining the vulnerability, which versions of your gem it affects, and what actions those depending on the gem should take (generally, just what version(s) of the gem they need to update to). Make sure to use a subject that includes the gem name, some short summary of the vulnerability, and the CVE ID if you have one.
  4. Forward the e-mail you just sent for the above to [email protected] to get an OSVDB ID assigned.
  5. Submit a PR (or just file an issue) for adding the vulnerability to https://github.com/rubysec/ruby-advisory-db/.

Could move step 4 up to after step 1... Really depends on whether blocking on MITRE / OSVDB is appropriate.

— Reply to this email directly or view it on GitHub https://github.com/rubysec/rubysec.github.io/issues/7#issuecomment-127087587 .

Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

ghost avatar Aug 03 '15 00:08 ghost

@kseifriedredhat, Sadly, MITRE is quite slow. Still waiting on CVE assignments for things I sent to oss-security@ / cve-assign@ quite a long time ago.

reedloden avatar Aug 03 '15 00:08 reedloden