Add documentation for reporting vulnerabilities

[postmodern]

Document the steps to report a vulnerability.

1. OSVDB: email [email protected] and/or message @osvdb on GitHub or Twitter.
2. Request a CVE from oss-sec mailing list or reserve a CVE from MITRE.
3. Once OSVDB or CVE have been obtained, send advisory to [email protected].

[ghost]

+1. this would be very useful. i don't know anything about how this works, and I expect others in ruby don't as well.

[jordimassaguerpla]

+1

[bf4]

Also how maintainers should notify users? Recommend all to sign up to a rubysec list on librelist? Subscribe an rss? Follow [ANN SEC] on ruby-talk? irc channel rubysec on freenode? Twitter?

Would be great to subscribe to gems you use for notifications.. but that's a more complicated feature. However, it's sort of already implemented in the rubygems.org site where you can subscribe to gems. Now just need to notify of vulns.

cc @drbrain

[bf4]

I can update the rubygems security guide once this is up to date

[jordimassaguerpla]

Maybe gems-status-web could be of help here. see:

https://github.com/jordimassaguerpla/gems-status-web/blob/master/README.md

You can get notifications on your gems (based on a Gemfile file) and the software gets alerts from different sources: mailing lists and commits on upstream.

[dwradcliffe]

For the record, there are several hosted tools that can help keep users updated too. (Gemnasium and gemcanary)

[jordimassaguerpla]

also bundler-audit may be of your interest

https://github.com/postmodern/bundler-audit

[postmodern]

@bf4 for general RubyGems security announcements, I believe [email protected] is the right place.

[phillmv]

@postmodern how does one accomplish:

Request a CVE from oss-sec mailing list or reserve a CVE from MITRE

Is there a template people can use? Ditto re: osvdb email.

[postmodern]

For requesting a CVE from MITRE: http://cve.mitre.org/cve/request_id.html

[ghost]

Or publicly on oss-security: https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

[reedloden]

There's also http://guides.rubygems.org/security/#reporting-security-vulnerabilities as well, though it's a bit outdated (I'm working on fixing).

[reedloden]

I submitted rubygems/guides#134 to get the rubygems guide page updated.

Basically, the steps I see that need to be followed are:

1. Request a CVE (via e-mail to one of the addresses on https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve)
2. Release new version of gem
3. Send an email to several lists including [email protected], [email protected], and [email protected] outlining the vulnerability, which versions of your gem it affects, and what actions those depending on the gem should take (generally, just what version(s) of the gem they need to update to). Make sure to use a subject that includes the gem name, some short summary of the vulnerability, and the CVE ID if you have one.
4. Forward the e-mail you just sent for the above to [email protected] to get an OSVDB ID assigned.
5. Submit a PR (or just file an issue) for adding the vulnerability to https://github.com/rubysec/ruby-advisory-db/.

Could move step 4 up to after step 1... Really depends on whether blocking on MITRE / OSVDB is appropriate.

[ghost]

Get the CVE as early as possible, otherwise everyone has to go back and
update their report, if the CVE goes out with the initial report it makes
life soooo much easier later. Depending on the severity of the issue
blocking/not blocking may be appropriate.

On Sun, Aug 2, 2015 at 6:14 PM, Reed Loden [email protected] wrote:

I submitted rubygems/guides#134
rubygems/guides#134 to get the rubygems guide
page updated.

Basically, the steps I see that need to be followed are:

1. Request a CVE (via e-mail to one of the addresses on
   https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve)
2. Release new version of gem
3. Send an email to several lists including
   [email protected], [email protected],
   and [email protected] outlining the vulnerability, which
   versions of your gem it affects, and what actions those depending on the
   gem should take (generally, just what version(s) of the gem they need to
   update to). Make sure to use a subject that includes the gem name, some
   short summary of the vulnerability, and the CVE ID if you have one.
4. Forward the e-mail you just sent for the above to [email protected]
   to get an OSVDB ID assigned.
5. Submit a PR (or just file an issue) for adding the vulnerability to
   https://github.com/rubysec/ruby-advisory-db/.

Could move step 4 up to after step 1... Really depends on whether blocking
on MITRE / OSVDB is appropriate.

—
Reply to this email directly or view it on GitHub
#7 (comment)
.

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

[reedloden]

@kseifriedredhat, Sadly, MITRE is quite slow. Still waiting on CVE assignments for things I sent to oss-security@ / cve-assign@ quite a long time ago.