Hi, I've proposed two PRs (libpcap/tcpdump) which adds a SECURITY.md file to both projects. They are: * https://github.com/the-tcpdump-group/tcpdump/pull/1403 * https://github.com/the-tcpdump-group/libpcap/pull/1613
This is based upon some discussion at the GVIP-project.org's Summit#01. I attach the SECURITY.md for discussion here. # SECURITY reporting for TCPDUMP. ## Ethical Reporting Guidelines If you have not read the The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research, August 2012, then are you really a security researcher? * https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-20120803_1.pdf * (or https://web.archive.org/web/20251123232841/https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-20120803_1.pdf) If you are doing research, and you are using The Tcpdump Project as a target, then you MUST obtain our explicit consent before involving us in your research. We do not consent by default. The time of our maintainers is extremely valuable. ## Use of LLMs ("AI") We do not accept reports generated by LLMs. We do not consent to your using our project to help train your LLM to do reports. ## Reporting Send an e-mail to [email protected]. This is a closed list, and which you will receive communication from the project members. If you have a spam filter that requires any action on our behalf to confirm emails, then we will ignore you. ## Proof of Concept We prioritize repors that contain a workable proof of concept. Ones without proof of concept may be closed, unread. A proper proof of concept contains a package capture (usually pcap format) that exploits the vulnerability. If the issue can not be exploited remotely, then is it really an exploit? Reports that only affect versions of tcpdump that are installed with setuid or setgid privileges should be clearly marked as such. They may be local root exploits. ## Patches to fix bugs Reports that contain patches that fix the reporting bug (which includes a PoC) are the best. They are ideally integrated with the tests in the "tests/" subdirectory. Please add the new test case as one commit, such that we can see the failure (the "red" signal). Then make a second commit that contains the fix, such that all tests now succeed. ## CVE numbers. We do not assign CVEs to all reports, only ones that are actually exploitable in real world code, in versions that are released. Otherwise, your code fixes, if used verbatim, will be credited in git authorship.
_______________________________________________ tcpdump-workers mailing list -- [email protected] To unsubscribe send an email to [email protected] %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
