diff --git a/content/security/index.adoc b/content/security/index.adoc index f8e14dc47fc2..7d3f5e3b05cb 100644 --- a/content/security/index.adoc +++ b/content/security/index.adoc @@ -40,17 +40,8 @@ Even if you run Jenkins on a private network and trust everyone in your team, se == How to Report a Security Vulnerability If you find a vulnerability in Jenkins, please link:https://issues.jenkins.io/secure/CreateIssueDetails!init.jspa?pid=10180&issuetype=10103[report it in the issue tracker under the SECURITY project]. -This project is configured in such a way that only the reporter, the maintainers, and the Jenkins security team can see the details. -Restricting access to this potentially sensitive information allows core and plugin maintainers to develop effective security fixes that are safe to apply. -We provide issue reporting guidelines and an overview of our process on link:reporting[Reporting Security Vulnerabilities]. - -If you are unable to report using our issue tracker, you can also send your report to the private Jenkins Security Team mailing list: -`jenkinsci-cert@googlegroups.com` - -IMPORTANT: Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. -We will not respond to such queries. -If we consider it necessary to provide a statement in response to incidents such as link:/blog/2021/12/10/log4j2-rce-CVE-2021-44228/[log4shell] or link:/blog/2022/03/31/spring-rce-CVE-2022-22965/[SpringShell], you will find a response in our link:/blog/[blog]. +We provide issue reporting guidelines and an overview of our process on link:reporting[Reporting Security Vulnerabilities]. == Learn More diff --git a/content/security/reporting.adoc b/content/security/reporting.adoc index 45dc908ab98e..93896e0c552f 100644 --- a/content/security/reporting.adoc +++ b/content/security/reporting.adoc @@ -98,6 +98,25 @@ The following behaviors/issues are not vulnerabilities in Jenkins project infras * Publicly accessible Jenkins controllers other than ci.jenkins.io and weekly.ci.jenkins.io are not operated by the Jenkins project. Please do not contact us with any concerns regarding them. + +=== CVEs in dependencies + +In the case of CVEs found in third party dependencies included in the Jenkins project, if the ticket does not include reproduction steps, a proof or at least a good argument, we are closing it. +Those CVEs are internally analysed and most of the time the project is not impacted. +In those cases, we recommend reporters file public issues, or submit a pull request on GitHub updating the dependency. + +When a CVE has an impact to the security of Jenkins, we include it in an advisory, like link:/security/advisory/2022-09-09/#SECURITY-2868[CVE-2022-2048 in Jetty] or link:/security/advisory/2022-02-09/#SECURITY-2602[CVE-2021-43859 in XStream]. + +Instead of announcing a continuous flow of non-impacting vulnerabilities, our approach is to publish information only for those that we consider interesting, like critical score, widely spread, etc. +For them you will find an article in our link:/node/[blog], like: link:/blog/2021/12/10/log4j2-rce-CVE-2021-44228/[Log4Shell] or link:/blog/2022/03/31/spring-rce-CVE-2022-22965/[SpringShell]. + + +=== Compliance + +IMPORTANT: Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. +We will not respond to such queries. + + == Issue Handling Process Once reported, the Jenkins security team will perform an evaluation of the issue to determine affected components and whether the report is a valid security vulnerability.