Skip to content

Add a section on reporting security vulnerabilities #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 14, 2014
Merged

Add a section on reporting security vulnerabilities #89

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ff5743e
Add a section on reporting security vulnerabilities
mocoso Jun 29, 2014
9f9fb7f
fixup! Add a section on reporting security vulnerabilities
mocoso Jun 29, 2014
4737de2
fixup! Add a section on reporting security vulnerabilities
mocoso Jun 30, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ Security practices are being actively discussed. Check back often.
* [General](#general)
* [Using Gems](#using-gems)
* [Building Gems](#building-gems)
* [Reporting Security Vulnerabilities](#reporting-security-vulnerabilities)

General
-------
Expand Down Expand Up @@ -127,6 +128,44 @@ Add cert paths to your gemspec

For details, see discussion [with Yorick Peterse](https://github.com/rubygems/guides/pull/70#issuecomment-29007487).

Reporting Security vulnerabilities
-------


### Reporting a security vulnerability with someone else's gem

If you spot a security vulnerability in someone else's gem, then you
first step should be to check whether this is a known vulnerability.

If this looks like a newly discovered vulnerability then you should
contact the author(s) privately (i.e. not via a pull request or issue on public
project) explaining the issue, how it can be exploited and ideally offering an
indication of how it might be fixed.

### Reporting a security vulnerability with your own gem

Firstly request a [CVE
identifier](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)
by mailing [email protected]. This identifier will make it easy to
uniquely identify the vulnerability when talking about it.

Secondly work out what people who depend on your gem should do to
resolve the vulnerability. This may involve releasing a patched version of you gem
that you can recommend they upgrade to.

Finally you need to tell people about the vulnerability. Currently there
is no single place to broadcast this information but a good place to
start might be to:

- Send an email to the Ruby Talk mailing list ([email protected])
with the subject prefix \[ANN]\[Security] outlining the vulnerabilty,
which versions of your gem it affects and what actions those depending
on the gem should take.

- Add it to an open source vulnerability database like
[OSVDB](http://osvdb.org/). You can do this by emailing [email protected]
and/or messaging @osvdb on GitHub or Twitter.

Credits
-------

Expand Down