From 22652b4484a06fc111e035f67e84aa3ae7e6acdb Mon Sep 17 00:00:00 2001 From: Julie Qiu Date: Fri, 24 Sep 2021 07:46:32 -0400 Subject: [PATCH] _content: update security policy The golang.org/security page is updated according to the new security policy. Fixes golang/go#44918 Change-Id: I66306aa0368ee12f89f68f97a2ae1412d98da628 Reviewed-on: https://go-review.googlesource.com/c/website/+/352029 Trust: Julie Qiu Trust: Katie Hockman Run-TryBot: Julie Qiu TryBot-Result: Go Bot Reviewed-by: Katie Hockman --- _content/security.html | 331 +++++++++++++++++++++++------------------ 1 file changed, 188 insertions(+), 143 deletions(-) diff --git a/_content/security.html b/_content/security.html index 96c6484968..31b6c026de 100644 --- a/_content/security.html +++ b/_content/security.html @@ -2,180 +2,225 @@ "Title": "Go Security Policy" }--> -

Implementation

+

Overview

-

Reporting a Security Bug

+

+ This document explains the Go Security team's process for handling issues + reported and what to expect in return. +

+ +

Reporting a Security Bug

+ +

+ All security bugs in the Go distribution should be reported by email to + security@golang.org. This mail is + delivered to the Go Security team. +

+ +

+ To ensure your report is not marked as spam, + please include the word "vulnerability" anywhere in your + email. Please use a descriptive subject line for your report email. +

-Please report to us any issues you find. -This document explains how to do that and what to expect in return. + Your email will be acknowledged within 7 days, and you'll be kept up to date + with the progress until resolution. Your issue will be fixed or made public + within 90 days. If you have not received a reply to your email within 7 days, + please follow up with the Go security team directly at + security@golang.org.

+

Tracks

+

-All security bugs in the Go distribution should be reported by email to -security@golang.org. -This mail is delivered to a small security team. -Your email will be acknowledged within 24 hours, and you'll receive a more -detailed response to your email within 72 hours indicating the next steps in -handling your report. + Depending on the nature of your issue, it will be categorized by the Go + security team as an issue in the PUBLIC, PRIVATE, or URGENT track. All + security issues will be issued CVE numbers.

+

PUBLIC

+

+ Issues in the PUBLIC track affect niche configurations, have very limited + impact, or are already widely known. +

+ +

+ PUBLIC track issues are fixed in public, and get backported + to the next scheduled + minor releases + (which occur ~monthly). The release announcement includes details of these + issues, but there is no pre-announcement. +

+ +

Examples of past PUBLIC issues include:

+
    +
  • + #44916: + archive/zip: can panic when calling Reader.Open +
    • +
  • + #44913: + encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom + TokenReader +
    • +
  • + #43786: + encoding/xml: infinite crypto/elliptic: incorrect operations on the P-224 + curve +
    • +
  • + #40928: + net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is + not specified +
    • +
  • + #40618: + encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of + bytes from invalid inputs +
    • +
  • + #36834: + crypto/x509: certificate validation bypass on Windows 10 +
    • +
+ +

PRIVATE

+

-To ensure your report is not marked as spam, please include the word "vulnerability" -anywhere in your email. Please use a descriptive subject line for your report email. + Issues in the PRIVATE track are violations of committed security properties.

-After the initial reply to your report, the security team will endeavor to keep -you informed of the progress being made towards a fix and full announcement. -These updates will be sent at least every five days. -In reality, this is more likely to be every 24-48 hours. + PRIVATE track issues are + fixed in the next scheduled + minor releases + , + and are kept private until then.

-If you have not received a reply to your email within 48 hours or you have not -heard from the security team for the past five days please contact the Go -security team directly: + Three to seven days before the release, a pre-announcement is sent to + golang-announce, announcing the presence of a security fix in the upcoming + releases, and whether the issue affects the standard library, the toolchain, + or both (but not disclosing any more details).

+

Some examples of past PRIVATE issues include:

    -
  • Primary security coordinator: Filippo Valsorda.
    • -
  • Secondary coordinator: Adam Langley.
    • -
  • If you receive no response, mail golang-dev@googlegroups.com or use the golang-dev web interface.
    • +
  • + #42552: + math/big: panic during recursive division of very large numbers +
    • +
  • + #34902: + net/http: Expect 100-continue panics in httputil.ReverseProxy +
    • +
  • + #39360: + crypto/x509: Certificate.Verify method seemingly ignoring EKU requirements + on Windows +
    • +
  • + #34960: + crypto/dsa: invalid public key causes panic in dsa.Verify +
    • +
  • + #34540: + net/http: invalid headers are normalized, allowing request smuggling +
    • +
  • + #29098: + net/url: URL.Parse Multiple Parsing Issues +
+

URGENT

+

-Please note that golang-dev is a public discussion forum. -When escalating on this list, please do not disclose the details of the issue. -Simply state that you're trying to reach a member of the security team. + URGENT track issues are a threat to the Go ecosystem’s integrity, or are being + actively exploited in the wild leading to severe damage. There are no recent + examples, but they would include remote code execution in net/http, or + practical key recovery in crypto/tls.

-

Flagging Existing Issues as Security-related

+

+ URGENT track issues are fixed in private, and + trigger an immediate dedicated security release, possibly + with no pre-announcement. +

+ +

Flagging Existing Issues as Security-related

-If you believe that an existing issue -is security-related, we ask that you send an email to -security@golang.org. -The email should include the issue ID and a short description of why it should -be handled according to this security policy. + If you believe that an existing issue + is security-related, we ask that you send an email to + security@golang.org. The email should + include the issue ID and a short description of why it should be handled + according to this security policy.

-

Disclosure Process

+

Disclosure Process

The Go project uses the following disclosure process:

    -
  1. Once the security report is received it is assigned a primary handler. -This person coordinates the fix and release process.
    2. -
  2. The issue is confirmed and a list of affected software is determined.
    3. -
  3. Code is audited to find any potential similar problems.
    4. -
  4. If it is determined, in consultation with the submitter, that a CVE-ID is -required, the primary handler obtains one via email to -oss-distros.
    5. -
  5. Fixes are prepared for the two most recent major releases and the head/master -revision. These fixes are not yet committed to the public repository.
    6. -
  6. A notification is sent to the -golang-announce -mailing list to give users time to prepare their systems for the update.
    7. -
  7. Three working days following this notification, the fixes are applied to -the public repository and a new -Go release is issued.
    8. -
  8. On the date that the fixes are applied, announcements are sent to -golang-announce, -golang-dev, and -golang-nuts. +
  9. + Once the security report is received it is assigned a primary handler. This + person coordinates the fix and release process. +
    10. +
  10. The issue is confirmed and a list of affected software is determined.
    11. +
  11. Code is audited to find any potential similar problems.
    12. +
  12. + If it is determined, in consultation with the submitter, that a CVE number is + required, the primary handler will obtain one. +
    13. +
  13. + Fixes are prepared for the two most recent major releases and the + head/master revision. Fixes are prepared for the two most recent major + releases and merged to head/master. +
    14. +
  14. + On the date that the fixes are applied, announcements are sent to + golang-announce, + golang-dev, and + golang-nuts. +

-This process can take some time, especially when coordination is required with -maintainers of other projects. Every effort will be made to handle the bug in -as timely a manner as possible, however it's important that we follow the -process described above to ensure that disclosures are handled consistently. -

- -

-For security issues that include the assignment of a CVE-ID, -the issue is listed publicly under the -"Golang" product on the CVEDetails website -as well as the -National Vulnerability Disclosure site. -

- -

Receiving Security Updates

- -

-The best way to receive security announcements is to subscribe to the -golang-announce -mailing list. Any messages pertaining to a security issue will be prefixed -with [security]. -

- -

Comments on This Policy

- -

-If you have any suggestions to improve this policy, please send an email to -golang-dev@golang.org for discussion. -

- -

PGP Key for security@golang.org

- -

-We accept PGP-encrypted email, but the majority of the security team -are not regular PGP users so it's somewhat inconvenient. Please only -use PGP for critical security reports. -

- -
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te
-+fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT
-J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L
-ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75
-8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3
-oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc
-7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF
-X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN
-JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk
-xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE
-0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB
-tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCTgQTAQoA
-OAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBGROHzjvGgTlE7xbTTpG0ZF5
-Wlg4BQJd8rfQAAoJEDpG0ZF5Wlg4198P/2YDcEwEqWBWjriLFXdTGOcVxQ7AC/mX
-Fe576zwgmrbqO00IaHOOqZZYXKd078FZyg2qQKILvfSAQB7EtLwfPEgv3Wca/Jb/
-ma2hNz+AveiWDVuF4yPx8qvFer/6Yzv9+anfpUP//qfo/7L3VSYKwNAcqqNGvBMh
-fLb7oWDSkdRmcu57c4WYv8i5BtxMRXs581r836bG3U0z0WQG8j64RpYp6sipqJnv
-09l3R5SXd7kkS26ntLU4fgTNJ6Eim7YoXsqLtVe4VZHGYz3D0yHnvCBpbJa2WpP2
-QT6TtFizvKtQlC0k1uo88VV8DyRdp2V6BO9cSNecvXZh81H0SjtD9MwdMnpX3shT
-LKu3L6wlJtb/EJVZg6+usJo0VunUdNTiBmy4FJrko7YYOSVHKKBA6dooufGNUSjw
-9Tieqh4jnzpg6+aIrNugZIrABH2G0GD/SvUSfjli0i+D1mqQSsMcLzE1BBcichpS
-htjv6fU8nI5XXmloUn1P2WBwziemsb7YcfBLNVeCxlAmoJn1hnOPjNzmKfVZk95E
-VJNvVB76JCh+S/0bAba5+nBZ1HRn/FAbs9vfUpp1sOFf25jX9bDAZvkqwgyPpNv/
-jONK0zNXRD5AfKdCA1nkMI70NNS5oBxPowp95eKyuw4hCINvfuPq5sLJa3cIMj3M
-MVO91QDs9eXxuQINBFXI1h0BEACXD0f/XJtCzgrdcoDWOggjXqu1r0pLt7Dvr5qB
-ejSN5JHAwRB8i07Fi9+Gajz7J2flNaxNuJ8ZTwvf4QFMxFHLNaFtoY7RaLPDsFNU
-nufklb6d0+txSmn+KVSToBRXFo7/z9H735Ulmmh6gsddiWgUY25fnwYsjLWNIG8u
-wuX8qLkg6se8PUYrpN+06XmPwg8LUtIGvAYk7zTfHvBR1A/+2wo39A9HymcGe2sS
-CtAVIj5DeqsK9UyZecGVi6aN84G3ykoyAH3+LH4dY3ymJA1CInEP5eMQzpfBSZCo
-hHvLkYg0paC6d0Ka1gjNWBj2nYGvpQ+tMmLXYt8q/mzZHo2fEUe/9p3b0Kk9N4sl
-GxKoV+oEv3r0EKmP+KxeZASbgW3OJmJ0BFejXYqIYCc8X2i2Ks0enj7yHA0Hexx/
-twjnfLydmK871zAjsGgKVjpkhpuMNwnGMr7bh6ajPeYnlIelmlAtJv2jwZsst9c6
-r7i7MRfYDfR+Gu2xBv/HQYzi/cRTVo/aaO6SzJhuCV21jri0PfnCoAD2ZWXlTH6D
-UehQG8vDSH6XPCHfvQ0nD/8hO8FBVS0MwH3qt8g/h8vmliXmmZHP6+y4nSJfObTm
-oGAp9Ko7tOj1JbFA91fz1Hi7T9dUCXDQCT1lx6rdb3q+x4RRNHdqhkIwg+LB9wNq
-rrStZQARAQABiQI2BBgBCgAgAhsMFiEEZE4fOO8aBOUTvFtNOkbRkXlaWDgFAl3y
-uFYACgkQOkbRkXlaWDiMgw//YvO2nZxWNSnQxqCEi8RXHV/3qsDDe8LloviFFV/M
-GSiGZBOhLJ0bFm9aKKPoye5mrZXBKvEVPu0h1zn43+lZruhARPiTu2AecQ7fstET
-PyXMZJ4mfLSFIaAumuH9dQEQJA9RRaFK8uzPRgAxVKyuNYS89psz/RvSeRM3B7Li
-m9waLs42+5xtltR5F6HKPhrgS/rrFHKMrNiDNMMG2FYu1TjonA9QnzAxDPixH3A1
-VNEj6tVqVK8wCMpci3YaXZJntX0H3oO6qloL8qIpSMVrIiD4IDBDK13Jn3OJ7veq
-iDn1mbGFYtfu8R+QV2xeDSJ6nEKfV3Mc3PFDbJMdzkOCdvExC8qsuUOqO4J6dRt7
-9NVptL0xZqlBjpF9fq9XCt7ZcQLDqbUF/rUs58yKSqEGrruXTx4cTLtwkTLcqJOw
-/CSgFtE8cvY51uupuEFzfmt8JLNTxsm2X2NlsZYxFJhamVrGFroa55nqgKe3tF7e
-AQBU641SZRYloqGgPK+4PB79vV4RyEDETOpD3PvpN2IafVWDacI4LXW0a4EKnPUj
-7JwRBmZxESda3OixSONv/VcuEOyGAZUppbLM4XYTtslRIqdQJFr7Vkza/VIoUqaY
-MkFIioHf2QndVwDXt3d0b0aAGaLeMRD1MFGtLNigEDD45nPeEpuGzXkUATpVWGiV
-bIs=
-=Nx85
------END PGP PUBLIC KEY BLOCK-----
-
+ This process can take some time, especially when coordination is required with + maintainers of other projects. Every effort will be made to handle the bug in + as timely a manner as possible, however it's important that we follow the + process described above to ensure that disclosures are handled consistently. +

+ +

+ For security issues that include the assignment of a CVE number, the issue is + listed publicly under the + + "Golang" product on the CVEDetails website + + as well as the + + National Vulnerability Disclosure site + . +

+ +

Receiving Security Updates

+ +

+ The best way to receive security announcements is to subscribe to the + + golang-announce + + mailing list. Any messages pertaining to a security issue will be prefixed + with [security]. +

+ +

Comments on This Policy

+ +

+ If you have any suggestions to improve this policy, please + file an issue for discussion. +