blob: b8328a5ec9c2a531ce16c253bb837979bdd7d8f6 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
# Security Process
If you find a vulnerability in our software, please report it via
GitHub "Private vulnerability reporting" feature at
https://github.com/nghttp2/nghttp2/security instead of submitting
issues on github issue page. It is a standard practice not to
disclose vulnerability information publicly until a fixed version is
released, or mitigation is worked out.
If we identify that the reported issue is really a vulnerability, we
open a new security advisory draft using [GitHub security
feature](https://github.com/nghttp2/nghttp2/security) and discuss the
mitigation and bug fixes there. The fixes are committed to the
private repository.
We write the security advisory and get CVE number from GitHub
privately. We also discuss the disclosure date to the public.
We make a new release with the fix at the same time when the
vulnerability is disclosed to public.
At least 7 days before the public disclosure date, we open a new issue
on [nghttp2 issue tracker](https://github.com/nghttp2/nghttp2/issues)
which notifies that the upcoming release will have a security fix.
The `SECURITY` label is attached to this kind of issue. The issue is
not opened if a vulnerability is already disclosed, and it is publicly
known that nghttp2 is affected by that.
Before few hours of new release, we merge the fixes to the master
branch (and/or a release branch if necessary) and make a new release.
Security advisory is disclosed on GitHub.
|