3

Consider an open source project that is under continuous development. During development, in your day-to-day work you do occasionally find some issues on your own. There are also users of your library reporting issues.

If a security advisory shall be published: which defects shall be taken into the advisory? Only the ones reported from extern? Or also those you discover on your own?

Are there any references/guides for this topic?

Edit: I'm not asking for how to do a responsible disclosure when I found an issue in another library! The core of the question is whether also issues shall be published in an advisory that were not reported from externals but found during your day-to-day work in your software.

eckes
  • 438
  • 1
  • 4
  • 13
  • I'm curious why you think the source of knowledge of the vulnerability matters. The point of an advisory is to let other people know about the potential for harm. How is who discovered it relevant? – Steve Sether Jul 27 '18 at 16:09

2 Answers2

1

If there is a vulnerability in your product, your users needs to know that so they can protect themself. Who discovered the vulnerability is irrelevant for your users, so it should not affect if and how you communicate the vulnerability to them.

So if you publish security advisories, do it no matter who discovered the vulnerability.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • 1
    Following your suggestion, I make publishing dependent on a CVSSv3 rating rather than on who discovered the issue. Thx! – eckes Jul 27 '18 at 16:23
0

Security advisory normally are written by externals to inform the developers about issues. The information are then published after some time for fixes for reputation of the people finding the vulnerabilities.

You as a developer should inform the people using your software about the issues and how to solve them. You can decide how many Information you want to publish.

There are standards for responsible disclosure:

Community
  • 1
trietend
  • 824
  • 1
  • 6
  • 15
  • 1
    I think that advisories are published by vendors, not by externals: https://www.openssl.org/news/secadv/20180327.txt I'm explicitly not asking for how to do a responsible disclosure! – eckes Jun 27 '18 at 04:08
  • @eckes Not always by vendors. Debian for example releases DSAs despite the fact that most of the vulnerabilities are in software packages they use (the Linux kernel, glibc, binutils, etc). – forest Jun 27 '18 at 04:51