Hi team!
I'm proposing an update to our SECURITY-PROCESS and I want everyone to be
aware and have the ability to comment.
I think we should allow or even demands that Low+Medium issues get managed
through plain PRs. But without highlighting or mentioning the security
vulnerability risk.
This, to make sure that fixes get more eyeballs on them and get more time to
mature before the pending release.
Previously we have merged them no more than 48 hours before release, and while
that is time enough to make sure they cause no build problems that's often not
enough for the fixes to get enough eyeballs on them to get really good. This
has more than once resulted in us landing incomplete fixes for security
problems and then subsequently getting another one filed within the same area
in a later release.
I'm proposing tis for Low and Medium only as for worse problems I think the
risk is too high that we leak knowledge of the problem too early before a fix
is shipped in a release.
This update is being proposed in this PR:
https://github.com/curl/curl/pull/10719
(This PR also updates details about the bug-bounty payout, but that should not
need any debating.)
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
