|
1 | 1 | Security Policy |
2 | 2 | =============== |
3 | 3 |
|
4 | | -This file describes how security issues are reported and handled, and what the |
5 | | -expectations are for security issues reported to this project. |
| 4 | +This file describes how security issues are reported and handled by |
| 5 | +OpenPrinting, and what the expectations are for security issues reported to |
| 6 | +this project. |
6 | 7 |
|
7 | 8 |
|
8 | | -Reporting a Security Bug |
9 | | ------------------------- |
| 9 | +Supported Versions |
| 10 | +------------------ |
| 11 | + |
| 12 | +This security policy only applies to production releases of this software. A |
| 13 | +production release is tagged and given a semantic version number of the form |
| 14 | +"MAJOR.MINOR.PATCH" where "MAJOR" is an integer starting at 1 and "MINOR" and |
| 15 | +"PATCH" are integers starting at 0. |
| 16 | + |
| 17 | +> *Note:* Please report security vulnerabilities that only affect unreleased |
| 18 | +> code as regular bugs. |
| 19 | +
|
| 20 | + |
| 21 | +Is the Issue a Bug or a Security Vulnerability? |
| 22 | +----------------------------------------------- |
| 23 | + |
| 24 | +OpenPrinting has defined criteria for identifying whether issues are handled as |
| 25 | +regular project bugs or as security vulnerabilities that use the "Reporting a |
| 26 | +Vulnerability" process below. |
| 27 | + |
| 28 | +The following kinds of issues are generally treated as security vulnerabilities |
| 29 | +by OpenPrinting: |
| 30 | + |
| 31 | +- Daemon/service crashes/hangs caused by a network request, |
| 32 | +- Remote code execution code via software provided by OpenPrinting, |
| 33 | +- Privilege escalation that allows unauthorized actions or information |
| 34 | + disclosure, |
| 35 | +- Common weaknesses (buffer overflow, divide-by-zero, input validation, |
| 36 | + use-after-free, etc.) that lead to a demonstrated (not theoretical) exploit. |
| 37 | + |
| 38 | +The following kinds of issues are generally treated as regular bugs by |
| 39 | +OpenPrinting: |
| 40 | + |
| 41 | +- Vulnerabilities caused by mis-configuration |
| 42 | +- Issues caused by incorrect API usage |
| 43 | +- Issues that only exist in non-production software |
| 44 | + |
| 45 | +Regular bugs should be reported to the project using the GitHub (public) issue |
| 46 | +tracker page at <https://github.com/OpenPrinting/libcups/issues>. |
10 | 47 |
|
11 | | -For the purposes of this project, a security bug is a software defect that |
12 | | -allows a *local or remote user* to gain unauthorized access or privileges on the |
13 | | -host computer or to cause the software to crash. Such defects should be |
14 | | -reported to the project security advisory page at |
| 48 | + |
| 49 | +Reporting a Security Vulnerability |
| 50 | +---------------------------------- |
| 51 | + |
| 52 | +Vulnerabilities should be reported to the project using the GitHub (private) |
| 53 | +security advisory page at |
15 | 54 | <https://github.com/OpenPrinting/libcups/security/advisories>. |
16 | 55 |
|
17 | | -Alternately, security bugs can be reported to "security AT msweet.org" using the |
18 | | -PGP public key below. Expect a response within 5 business days. Any proposed |
19 | | -embargo date should be at least 30 days and no more than 90 days in the future. |
| 56 | +Provide details, impact, reproducer, affected versions, workarounds, and a patch |
| 57 | +for the vulnerability, if applicable. |
20 | 58 |
|
21 | | -> *Note:* If you've found a software defect that allows a *program* to gain |
22 | | -> unauthorized access or privileges on the host computer or causes the program |
23 | | -> to crash, that defect should be reported as an ordinary project issue at |
24 | | -> <https://github.com/OpenPrinting/libcups/issues>. |
| 59 | +You can expect a response within 5 business days. |
25 | 60 |
|
26 | 61 |
|
27 | | -Responsible Disclosure |
28 | | ----------------------- |
| 62 | +How OpenPrinting Responds to Vulnerability Reports |
| 63 | +-------------------------------------------------- |
29 | 64 |
|
30 | | -With *responsible disclosure*, a security issue (and its fix) is disclosed only |
31 | | -after a mutually-agreed period of time (the "embargo date"). The issue and fix |
32 | | -are shared amongst and reviewed by the key stakeholders (Linux distributions, |
33 | | -OS vendors, etc.) and the CERT/CC. Fixes are released to the public on the |
34 | | -agreed-upon date. |
| 65 | +First, OpenPrinting takes every report seriously. There are (conservatively) |
| 66 | +several billion devices/systems using CUPS, so any security issue can affect a |
| 67 | +lot of people! |
35 | 68 |
|
36 | | -> Responsible disclosure applies only to production releases. A security |
37 | | -> vulnerability that only affects unreleased code can be fixed immediately |
38 | | -> without coordination. Vendors *should not* package and release unstable |
39 | | -> snapshots, beta releases, or release candidates of this software. |
| 69 | +Members of the OpenPrinting security team will try to verify/reproduce the |
| 70 | +reported issues in a timely fashion. Please keep in mind that many members of |
| 71 | +the security team are volunteers or are only employed part-time to maintain |
| 72 | +CUPS, so your patience is appreciated. |
40 | 73 |
|
| 74 | +Sometimes a reported issue is actually in another project's code. For these |
| 75 | +issues, we may ask you to re-submit your report to the correct project - an |
| 76 | +enhancement request has been submitted to GitHub to correct this limitation for |
| 77 | +projects hosted on GitHub. |
41 | 78 |
|
42 | | -Supported Versions |
43 | | ------------------- |
| 79 | +Other times we may verify the issue exists but disagree on the severity or |
| 80 | +scope of the issue. We assess vulnerabilities based on our supported platforms |
| 81 | +and common configurations because we need to be able to test and verify issues |
| 82 | +and fixes on those supported platforms. The final CVSS score determines how the |
| 83 | +vulnerability is disclosed - see below for details. |
| 84 | + |
| 85 | +Similar issues (if multiple vulnerabilities are reported) will be combined if |
| 86 | +they share a common root cause. We don't mean any disrespect by doing this, we |
| 87 | +just want to make sure your issues are truly and efficiently addressed in full. |
| 88 | + |
| 89 | +Once we have verified things, we will work towards providing a fix as quickly |
| 90 | +as possible. Fixes are typically developed against the "master" branch, then |
| 91 | +backported as needed to cover shipping CUPS releases on our supported platforms. |
| 92 | + |
| 93 | + |
| 94 | +Responsible Disclosure |
| 95 | +---------------------- |
44 | 96 |
|
45 | | -All production releases of this software are subject to this security policy. A |
46 | | -production release is tagged and given a semantic version number of the form: |
47 | | - |
48 | | - MAJOR.MINOR.PATCH |
49 | | - |
50 | | -where "MAJOR" is an integer starting at 1 and "MINOR" and "PATCH" are integers |
51 | | -starting at 0. A feature release has a "PATCH" value of 0, for example: |
52 | | - |
53 | | - 1.0.0 |
54 | | - 1.1.0 |
55 | | - 2.0.0 |
56 | | - |
57 | | -Beta releases and release candidates are *not* prodution releases and use |
58 | | -semantic version numbers of the form: |
59 | | - |
60 | | - MAJOR.MINORbNUMBER |
61 | | - MAJOR.MINORrcNUMBER |
62 | | - |
63 | | -where "MAJOR" and "MINOR" identify the new feature release version number and |
64 | | -"NUMBER" identifies a beta or release candidate number starting at 1, for |
65 | | -example: |
66 | | - |
67 | | - 1.0b1 |
68 | | - 1.0b2 |
69 | | - 1.0rc1 |
70 | | - |
71 | | - |
72 | | -PGP Public Key |
73 | | --------------- |
74 | | - |
75 | | -The following PGP public key can be used for signing security messages. |
76 | | - |
77 | | -``` |
78 | | ------BEGIN PGP PUBLIC KEY BLOCK----- |
79 | | -Comment: GPGTools - https://gpgtools.org |
80 | | -
|
81 | | -mQINBF6L0RgBEAC8FTqc/1Al+pWW+ULE0OB2qdbiA2NBjEm0X0WhvpjkqihS1Oih |
82 | | -ij3fzFxKJ+DgutQyDb4QFD8tCFL0f0rtNL1Iz8TtiAJjvlhL4kG5cdq5HYEchO10 |
83 | | -qFeZ1DqvnHXB4pbKouEQ7Q/FqB1PG+m6y2q1ntgW+VPKm/nFUWBCmhTQicY3FOEG |
84 | | -q9r90enc8vhQGOX4p01KR0+izI/g+97pWgMMj5N4zHuXV/GrPhlVgo3Wn1OfEuX4 |
85 | | -9vmv7GX4G17Me3E3LOo0c6fmPHJsrRG5oifLpvEJXVZW/RhJR3/pKMPSI5gW8Sal |
86 | | -lKAkNeV7aZG3U0DCiIVL6E4FrqXP4PPj1KBixtxOHqzQW8EJwuqbszNN3vp9w6jM |
87 | | -GvGtl8w5Qrw/BwnGC6Dmw+Qv04p9JRY2lygzZYcKuwZbLzBdC2CYy7P2shoKiymX |
88 | | -ARv+i+bUl6OmtDe2aYaqRkNDgJkpuVInBlMHwOyLP6fN2o7ETXQZ+0a1vQsgjmD+ |
89 | | -Mngkc44HRnzsIJ3Ga4WwW8ggnAwUzJ/DgJFYOSbRUF/djBT4/EFoU+/kjXRqq8/d |
90 | | -c8HjZtz2L27njmMw68/bYmY1TliLp50PXGzJA/KeY90stwKtTI0ufwAyi9i9BaYq |
91 | | -cGbdq5jnfSNMDdKW2kLCNTQeUWSSytMTsdU0Av3Jrv5KQF8x5GaXcpCOTwARAQAB |
92 | | -tExNaWNoYWVsIFN3ZWV0IChzZWN1cml0eUBtc3dlZXQub3JnKSAoU2VjdXJpdHkg |
93 | | -UEdQIEtleSkgPHNlY3VyaXR5QG1zd2VldC5vcmc+iQJUBBMBCgA+FiEEOElfSXYU |
94 | | -h91AF0sBpZiItz2feQIFAl6L0RgCGwMFCQeGH4AFCwkIBwMFFQoJCAsFFgIDAQAC |
95 | | -HgECF4AACgkQpZiItz2feQIhjhAAqZHuQJkPBsAKUvJtPiyunpR6JENTUIDxnVXG |
96 | | -nue+Zev+B7PzQ7C4CAx7vXwuWTt/BXoyQFKRUrm+YGiBTvLYQ8fPqudDnycSaf/A |
97 | | -n01Ushdlhyg1wmCBGHTgt29IkEZphNj6BebRd675RTOSD5y14jrqUb+gxRNuNDa5 |
98 | | -ZiZBlBE4A8TV6nvlCyLP5oXyTvKQRFCh4dEiL5ZvpoxnhNvJpSe1ohL8iJ9aeAd5 |
99 | | -JdakOKi8MmidRPYC5IldXwduW7VC7dtqSiPqT5aSN0GJ8nIhSpn/ZkOEAPHAtxxa |
100 | | -0VgjltXwUDktu74MUUghdg2vC1df2Z+PqHLsGEqOmxoBIJYXroIqSEpO3Ma7hz0r |
101 | | -Xg1AWHMR/xxiLXLxgaZRvTp7AlaNjbqww8JDG8g+nDIeGsgIwWN/6uPczledvDQa |
102 | | -HtlMfN97i+rt6sCu13UMZHpBKOGg7eAGRhgpOwpUqmlW1b+ojRHGkmZ8oJSE7sFT |
103 | | -gzSGNkmfVgA1ILl0mi8OBVZ4jlUg6EgVsiPlzolH92iscK7g50PdjzpQe0m3gmcL |
104 | | -dpOmSL8Fti05dPfamJzIvJd28kMZ6yMnACKj9rq/VpfgYBLK8dbNUjEOQ2oq7PyR |
105 | | -Ye/LE1OmAJwfZQkyQNI8yAFXoRJ8u3/bRb3SPvGGWquGBDKHv2K1XiCW65uyLe5B |
106 | | -RNJWmme5Ag0EXovRGAEQAJZMFeIMt/ocLskrp89ZyBTTiavFKn9+QW7C2Mb36A73 |
107 | | -J2g9vRFBSRizb+t8lSzP/T1GbKS0cEmfEpQppWImTbOMV6ZgxrM0IUy1Yd7Kyc0K |
108 | | -oNMZvykRYwVMzxB5hiQ88kCLfqTNCveIvu1xcB9pWkf+cuDmGCxA3I+yc3Eh/SOP |
109 | | -urDsHObt7fyEmJpSxCXlMFHRCuWyGXhMNvhR186t9mANW0PyxKJ8efr+2Vhm1+pA |
110 | | -Vk9JESac/lREvx9PVFmlPdqgqRkQ0TQB5+ROo9Wy77cxQr5+rvSZZff630I1YgZf |
111 | | -Ph6xOV1/q6vJ3RBNA2nPSTjPeeWQ7pTn7PZGJwCjIUjhMbO+EJVKUJNOAEg033mG |
112 | | -tLfbFUYdhA/dRgFuKz90loCMfsnf3e4o/TFydSHUuwBUtOWkL1BBWEbk95M/Zr00 |
113 | | -w5fD9knas1u5Lc4ogXzTFPnvJ6hM1RAFJEd+FYzJZIvzwrIx4Ag1DOKViVBpeLTu |
114 | | -HWj+xckEgvxEBglplALzfSIJ0CLQSNL8iMFbzCnPeUoQfPkqu37KHrB9syAA06Tb |
115 | | -qw1Ax0qBqKInGIgBd0w6dFLF3s04xVcPAXWyJ0w4I7h2bs+aD6YwwK6xxCtXxtN5 |
116 | | -Q1LQM8s3tKNXER3mZ8zfwgwjsdLVwhXhysFi6Dlkvk/Vrbn1QDfJnzq+F9LsGRGb |
117 | | -ABEBAAGJAjwEGAEKACYWIQQ4SV9JdhSH3UAXSwGlmIi3PZ95AgUCXovRGAIbDAUJ |
118 | | -B4YfgAAKCRClmIi3PZ95AhDZD/40fShzDS/smZZL0oXN4GgZ62FrXWBdLjontkXo |
119 | | -d8hDh1wJZwqsLVbtO2Gu0CPeH9GclQ3bYsR19sGMM4FDgjMu57O/TU6GZl2Ywcjh |
120 | | -ayhRTHyAq/BKZn71AM0N7LS8MdNTaLbTbzEu5oGbAmOVv5f0SUnQoGxbeF8ih5bo |
121 | | -hR3ZcORujWMgnymL3+cerNyIDQAtfMAUTfpVcwem4CvquA9Wjtur8YN1t+N7I3o2 |
122 | | -eMTNSyNUL9Yx3NxbyJ0yrrMvASo+ZVRaPW5+ET9Iqd68ILSY04Gnar3URJssggX8 |
123 | | -+cuyEbP9bAG8qYqcr2aSC2dW84mL/RnZGR//1dfS0Ugk6Osj0LSF5i+mz0CbIjYQ |
124 | | -PKgLlgpycuGZBC5kG3RWWfanM0HxPDx10a7vEWA1A5Q+csx4yi3CW/giC1zAdhUO |
125 | | -cJ1l4Uj/oxpGeLN7BnT/2NzU/px2fpbaG+xU4HlwjzFM2cIOUIohHFhdvFZbFIIA |
126 | | -mePqTBnEB3HtXYRTgMoYDXLWhlOXjyVnMR45WDfvEA3KqbAz6sNMtaOJ6rHBWnR1 |
127 | | -1YbpvDWUeaGSLXBoGyo3RgTrN9jON8lE/oUxFobnEdfZGD+uwIniylc5rw3+VkBU |
128 | | -+QGZDfgPgxjSmKsWq1cK6rNfBacGYrdyqf90VemEsvR8r0Ump0RPzBMlAAq0Xkup |
129 | | -WkiKlA== |
130 | | -=0GzT |
131 | | ------END PGP PUBLIC KEY BLOCK----- |
132 | | -``` |
| 97 | +With *responsible disclosure*, the issue and its fixes are shared amongst and |
| 98 | +reviewed by the key stakeholders (Linux distributions, OS vendors, etc. on the |
| 99 | +`distros@vs.openwall.org` mailing list) and the CERT/CC. OpenPrinting requests |
| 100 | +a CVE when we have agreed-upon fixes ready. |
| 101 | + |
| 102 | +If the final CVSS score is 7 or more, or if a key stakeholder requests it, |
| 103 | +OpenPrinting coordinates a mutually-agreed period of time (the "embargo date") |
| 104 | +for when the fixes will be released. Otherwise, the fixes are pushed to the |
| 105 | +public repository immediately and included in a subsequent production release |
| 106 | +when convenient. |
| 107 | + |
| 108 | +> *Note:* An embargo starts a flurry of activity. Hundreds of developers |
| 109 | +> supporting every Linux distribution, the various BSD flavors, macOS, and |
| 110 | +> ChromeOS queue up security updates for their respective OS releases on the |
| 111 | +> embargo date. OpenPrinting limits the embargo process to high severity |
| 112 | +> issues to better manage limited developer resources. |
0 commit comments