From: Jim Fuller Date: Fri, 5 Sep 2025 10:38:55 +0000 (+0200) Subject: docs: add major incident section to vuln disclosure policy X-Git-Tag: curl-8_16_0~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6905370df5fcf2b0d0fc443448d17fc98113b067;p=thirdparty%2Fcurl.git docs: add major incident section to vuln disclosure policy Closes #18483 --- diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md index 00cdf86ec0..b32b3d3f40 100644 --- a/docs/VULN-DISCLOSURE-POLICY.md +++ b/docs/VULN-DISCLOSURE-POLICY.md @@ -353,3 +353,90 @@ using the protocols or options that require the use of those algorithms. When servers upgrade to use secure alternatives, curl users should use those options/protocols. + +# curl major incident response + +Vulnerability disclosure manages the full life cycle of a vulnerability +affecting curl - where the **curl-security** team privately engages with +reporters coordinating on embargo and eventual release of security fixes. + +For most vulnerabilities (even critical vulnerabilities) this is the +normal _'mode'_ of incident response. + +A **major incident** is defined as something that has much larger scope and +impact on users and developers of curl. + +A major incident usually encompasses one or more of the following: +* broad and deep impact on developers, distros and users +* high visibility +* remote code execution +* exploit readily available +* critical curl infrastructure compromised +* time sensitive +* premature disclosure (e.g. embargo broken) + +A major incident is declared only when it is deemed that the normal +vulnerability disclosure process is not sufficient. + +The curl **major incident** process is as follows: + +## Major incident begins + +Only a member of the **curl-security** team can declare a **major incident** +via any or all of the following communication channels: + +* **irc**: channel #curl on the network [Libera.Chat](https://libera.chat) +* **mailing-lists**: + * curl-announce + * curl-users + * curl-distros +* **website**: [curl.se](https://curl.se) + +This declaration may also be transmitted via other channels, though the +above are considered official channels. + +The veracity of such a communication can be verified by consulting two +or more **curl-security** team members. + +This announcement nominates, from **curl-security** team, the following +roles: + +* **incident lead** - Coordinates technical efforts +* **communication lead** - Single point of public contact + +It is likely that our [BDFL](https://en.wikipedia.org/wiki/Benevolent_dictator_for_life) occupies +one of these roles, though this plan does not depend on it. + +A declaration may also contain more detailed information but as we honor embargoes +and vulnerability disclosure throughout this process, it may also just contain +brief notification that a **major incident** is occurring. + +## Major incident ongoing + +During the incident - all press, media, legal or commercial entities should contact +communication leader (security@curl.se). + +Existing **curl-security** team internal communication channels are used +for all internal communication. + +Existing vulnerability disclosure process are followed for any embargoes +and fixes. + +Where possible, public communication are provided: +* regular communication from communication leader (ex. daily update) +* asynchronous communication from incident leader + +* Delivered to the aforementioned curl communication channels. + +A log is kept of all external and internal communication. + +Once fixes have been released we may provide a more detailed postmortem and +overall timeline of events. + +## Major incident ends + +Both the incident and communication leads declare when a **major incident** +has finished. + +Any notices are removed and a return to normal vulnerability disclosure +process.