From ffd8d43712306e16b8482fff22144ee69c7ee334 Mon Sep 17 00:00:00 2001 From: Ayrx Date: Thu, 5 Jun 2014 17:11:59 +0800 Subject: Updated security.rst to expand on process --- docs/security.rst | 68 ++++++++++++++++++++++++++++++++++++++++++---- docs/spelling_wordlist.txt | 1 + 2 files changed, 64 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/security.rst b/docs/security.rst index 4dadc847..cd96d582 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -1,12 +1,70 @@ Security ======== -We take the security of ``cryptography`` seriously. If you believe you've -identified a security issue in it, please report it to -``alex.gaynor@gmail.com``. Message may be encrypted with PGP using key -fingerprint ``E27D 4AA0 1651 72CB C5D2 AF2B 125F 5C67 DFE9 4084`` (this public -key is available from most commonly-used key servers). +We take the security of ``cryptography`` seriously. The following are a set of +policies we have adopted to ensure that security issues are addressed in a +timely fashion. + +Reporting a security issue +-------------------------- + +We ask that you do not report security issues to our normal GitHub issue +tracker. + +If you believe you've identified a security issue with ``cryptography``, please +report it to ``alex.gaynor@gmail.com``. Message may be optionally be encrypted +with PGP using key fingerprint +``E27D 4AA0 1651 72CB C5D2 AF2B 125F 5C67 DFE9 4084`` +(this public key is available from most commonly-used key servers). Once you've submitted an issue via email, you should receive an acknowledgment within 48 hours, and depending on the action to be taken, you may receive further follow-up emails. + +Supported Versions +------------------ + +At any given time, we will provide security support for the `master`_ branch +as well as the 2 most recent releases. + +Disclosure Process +------------------ + +Our process for taking a security issue from private discussion to public +disclosure involves multiple steps. + +Approximately one week before full public disclosure, we will send advance +notification of the issue to a list of people and organizations, primarily +composed of operating-system vendors and other distributors of +``cryptography``. This notification will consist of an email message, + +* A full description of the issue and the affected versions of + ``cryptography``. +* The steps we will be taking to remedy the issue. +* The patch(es), if any, that will be applied to ``cryptography``. +* The date on which the ``cryptography`` team will apply these patches, issue + new releases and publicly disclose the issue. + +Simultaneously, the reporter of the issue will receive notification of the date +on which we plan to take the issue public. + +On the day of disclosure, we will take the following steps: + +* Apply the relevant patch(es) to the ``cryptography`` codebase. The commit + messages for these patches will indicate that they are for security issues, + but will not describe the issue in any detail; instead, they will warn of + upcoming disclosure. +* Issue the relevant release(s). +* Post a notice to the cryptography mailing list that describes the issue in + detail, point to the new release and crediting the reporter of the issue. + +If a reported issue is believed to be particularly time-sensitive – due to a +known exploit in the wild, for example – the time between advance notification +and public disclosure may be shortened considerably. + +The list of people and organizations who receives advanced notification of +security issues is not and will not be made public. This list generally +consists of high profile downstream distributors and is entirely at the +discretion of the ``cryptography`` team. + +.. _`master`: https://github.com/pyca/cryptography diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 9baf0822..19181573 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -7,6 +7,7 @@ boolean Botan Changelog ciphertext +codebase committer committers conda -- cgit v1.2.3 From 189f1706fdeabbf6d1456bfa8de721ad7d90ffae Mon Sep 17 00:00:00 2001 From: Ayrx Date: Thu, 5 Jun 2014 18:16:36 +0800 Subject: Updated docs --- docs/security.rst | 6 +++--- docs/spelling_wordlist.txt | 1 - 2 files changed, 3 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/security.rst b/docs/security.rst index cd96d582..6856fbc4 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -41,7 +41,7 @@ composed of operating-system vendors and other distributors of * A full description of the issue and the affected versions of ``cryptography``. * The steps we will be taking to remedy the issue. -* The patch(es), if any, that will be applied to ``cryptography``. +* The patches, if any, that will be applied to ``cryptography``. * The date on which the ``cryptography`` team will apply these patches, issue new releases and publicly disclose the issue. @@ -50,11 +50,11 @@ on which we plan to take the issue public. On the day of disclosure, we will take the following steps: -* Apply the relevant patch(es) to the ``cryptography`` codebase. The commit +* Apply the relevant patches to the ``cryptography`` repository. The commit messages for these patches will indicate that they are for security issues, but will not describe the issue in any detail; instead, they will warn of upcoming disclosure. -* Issue the relevant release(s). +* Issue the relevant releases. * Post a notice to the cryptography mailing list that describes the issue in detail, point to the new release and crediting the reporter of the issue. diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 19181573..9baf0822 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -7,7 +7,6 @@ boolean Botan Changelog ciphertext -codebase committer committers conda -- cgit v1.2.3 From ead04a4d0dc58cd5ac78e650a3185aedd665087e Mon Sep 17 00:00:00 2001 From: Ayrx Date: Fri, 6 Jun 2014 00:59:18 +0800 Subject: Added missing word --- docs/security.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/security.rst b/docs/security.rst index 6856fbc4..a31a2fc3 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -36,7 +36,8 @@ disclosure involves multiple steps. Approximately one week before full public disclosure, we will send advance notification of the issue to a list of people and organizations, primarily composed of operating-system vendors and other distributors of -``cryptography``. This notification will consist of an email message, +``cryptography``. This notification will consist of an email message +containing: * A full description of the issue and the affected versions of ``cryptography``. -- cgit v1.2.3