janhoy commented on code in PR #168: URL: https://github.com/apache/solr-site/pull/168#discussion_r3060821835
########## content/pages/security.md: ########## @@ -1,67 +1,44 @@ -Title: Solr™ Security News +Title: Solr™ Security URL: security.html save_as: security.html template: security -## How to report a security issue +## Report a New Vulnerability -### Published CVEs Detected by Scanners -Every CVE that is detected by a software scanner is by definition already public knowledge. That means the Solr PMC and the rest of the world probably already know about it. +The Solr PMC greatly appreciates responsible disclosure of new security vulnerabilities found in Solr itself +or demonstrating exploitation via a dependency. +**It is important not to publish a previously unknown exploit**, or exploit demonstration code, on public +mailing lists or issue trackers before coordinating with the PMC. -To find a path forward in addressing a detected CVE we suggest the following process for fastest results: +See the [vulnerability reporting procedure](security-reporting.html) for the full reporting rules, +the workflow diagram, and what to expect after you report. -1. Check [further down this page](#recent-cve-reports-for-apache-solr) to see if the CVE is listed as exploitable in Solr. -2. Check the [officially published non-exploitable vulnerabilities](#cve-reports-for-apache-solr-dependencies) list to see if the CVE is listed as not exploitable in Solr. -3. Search through the [Solr users mailing list archive](https://lists.apache.org/[email protected]) to see if anyone else has brought up this dependency CVE. -4. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE. +## CVEs in Dependencies Detected by Scanners -#### Dos and Don'ts -* Please DO discuss the possible need for library upgrades on the user list. -* Please DO search Jira for the CVE number to see if we are addressing it already. -* Please DO create Jira issues and associated pull requests to propose and discuss upgrades of *a single specific* dependency. -* Please DO NOT attach a scan report, or paste output of a scan into Jira (just link the CVE instead) -* Please DO NOT email the security email below with a scan report it will be ignored. -* Please DO look into automating some of this with [VEX](#vex) and share your experience. - -#### Use of Jira -Jira is for discussing specific development modifications. Any Jira that contains only scan report output, or references multiple dependencies at the same time is likely to be ignored/closed. The large number of folks sending us reports of things that are already known is a serious drag on our (volunteer) time so **please search Jira** before opening a new issue. - -### New Exploits <span style="color:blue">You</span> Discover in Solr - -The Solr PMC greatly appreciates reports of new security vulnerabilities found in Solr itself or demonstrations of exploiting vulnerabilities via dependencies. -**It is important not to publish a previously unknown exploit**, or exploit demonstration code on public mailing lists. -Please disclose new exploits responsibly by following these [ASF guidelines](https://www.apache.org/security/) for reporting. -The contact email for reporting newly discovered exploits in Solr is <mailto:[email protected]>. +Every CVE detected by a scanner is by definition already public knowledge. +Before contacting the security team about a dependency CVE, please: -Before reporting a new exploit ensure that you have tested it against an instance of Solr that is running a [supported version](https://solr.apache.org/downloads.html) and has been properly configured with: +1. Check the [dependency CVE status page](security-dependency-cves.html) to see if the CVE has already + been assessed as not exploitable in Solr. +2. Download our [VEX file](security-dependency-cves.html) if your scanner supports VEX, to automatically suppress known non-applicable findings. Review Comment: No need to ask people to download the file here, they will get that information on the page mentioned in step 1. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
