Suggested process to manage a vulnerability
NOTE: This is the expected process to follow from responsible community contributors when exposing a vulnerability, of course is out of our hands if somebody prefer to disclose publicly the vulnerability in his blog, but we'll appreciate community members to follow this approach.
Phase 1 – Vulnerability Reporting, Acknowledgment, Validation, and Replication
- Finder (internal or external) reports issue - see How to report a vulnerability
- Assessment of status
- CVSS scoring
Phase 2 – Vulnerability Resolution with workarounds, patches, and fixes
- Developers work on a solution for the vulnerability
- At this stage developers on the security mail list can decide to work close with the finder and other key developers of community
Phase 3 – Responsible Disclosure and call to action
Disclosure is conducted in phases – notifying increasingly larger number of organizations – until the final phase of general public disclosure.
The phased disclosure process mixes responsibility to critical internet infrastructure, our customers, our operating system partners, our forum subscribers, and our large deployment of software running on networks throughout the world.
The objective of a phased disclosure is to provide the opportunity to upgrade within a reasonable maintenance window to minimize rushed action and operational anxiety
Given that we’re an open source project, we are working to have all our vulnerability management processes published and all vendors and users aware.
- Key Contributors (including responsible finder)
- Formal notice and pre-release code snapshot as far in advance as possible
- At least five business days in advance of the release of the public disclosure
- Software forum subscribers and Global security organizations
- Written notice of the disclosure ~24 hours before planned release of the public disclosure and code
- General Public disclosure of the vulnerability, and release of patched versions