Add a section on reporting security vulnerabilities

…to the security page. The information about requesting a CVE is taken from https://cve.mitre.org/cve/request_id.html It seems much less clear how to tell the world about your issue and with no well recognised route, as far as I can tell. In the absence of any well trodden route I have suggested the ruby-talk mailing list since people already use this to announce new versions of gems. Further discussion can be found in issue #62
radar · Jun 29, 2014 · ff5743e · ff5743e
1 parent 36843f2
commit ff5743e
Showing 1 changed file with 39 additions and 0 deletions.
diff --git a/security.md b/security.md
@@ -10,6 +10,7 @@ Security practices are being actively discussed. Check back often.
 * [General](#general)
 * [Using Gems](#using-gems)
 * [Building Gems](#building-gems)
+* [Reporting Security Vulnerabilities](#reporting-security-vulnerabilities)
 
 General
 -------
@@ -127,6 +128,44 @@ Add cert paths to your gemspec
 
 For details, see discussion [with Yorick Peterse](https://github.com/rubygems/guides/pull/70#issuecomment-29007487).
 
+Reporting Security vulnerabilities
+-------
+
+
+### Reporting a security vulnerability with someone else's gem
+
+If you spot a security vulnerability in someone else's gem, then you
+first step should be to check whether this is a known vulnerability.
+
+If this looks like a newly discovered vulnerability then you should
+content the author(s) privately (i.e. not via a pull request or issue on public
+project) explaining the issue, how it can be exploited and ideally offering an
+indication of how it might be fixed.
+
+### Reporting a security vulnerability with your own gem
+
+Firstly request a [CVE
+identifier](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)
+by mailing [email protected]. This identifier will make it easy to
+uniquely identify the vulnerability when talking about it.
+
+Secondly work out what people who depend on your gem should do to
+resolve the vulnerability. This may involve releasing a patched version of you gem
+that you can recommend they upgrade to.
+
+Finally you need to tell people about the vulnerability. Currently there
+is no single place to broadcast this information but a good place to
+start might be to:
+
+- Send an email to the Ruby Talk mailing list ([email protected])
+  with the subject prefix \[ANN]\[Security] outlining the vulnerabilty,
+  which versions of your gem it affects and what actions those depending
+  on the gem should take.
+
+- Add it a to a open source vulnerability database like
+  [OSVDB](http://osvdb.org/). You can do this by emailing [email protected]
+  and/or messaging @osvdb on GitHub or Twitter.
+
 Credits
 -------