Vulnerability Disclosure Policy

Summary: If you wish to report a security vulnerability in software written or maintained by Ryan Finnie, you may email ryan@finnie.org with "vulnerability report" somewhere in the subject. My OpenPGP key is 86AE8D98 and may be used to send signed or encrypted communications.

Introduction

I have written and maintain a number of open source projects, and security is one of my most important concerns. To that end, this document outlines how I handle security vulnerabilities, and what you should do to report them.

Reporting Non-Vulnerabilities

To report non-sensitive bugs or ask for help with a project, please see that project's "Contributions" section of its home page. Usually this involves submitting a report through an issue tracking system, a merge request on GitHub, a public forum, etc.

Reporting Security Vulnerabilities

Downstream Reporting

If you find a security vulnerability in a project written or maintained by me and it and it is packaged as part of a major downstream distribution (Debian, Ubuntu, Fedora, etc), your best course is to report it as a security vulnerability through them. These distributions have the resources and prior experience to effectively coordinate between you, me, other distributions, MITRE, etc.

A partial list of downstream projects which carry software written by me, along with their own vulnerability disclosure policies are available here:

Before reporting downstream, please be sure the security vulnerability is found in a software version carried by the downstream distribution. While downstream distributions' security teams are best equipped for coordinating a security vulnerability disclosure, remember that they first serve their own projects, not upstream.

Direct Reporting

If downstream reporting is not applicable or you do not wish to report downstream, you may contact me directly with a security vulnerability report.

Please email ryan@finnie.org, with a subject containing the text "<project name> vulnerability report" to help it stand out, though this is not a hard requirement.

Please include as much information as possible, including project name, version the vulnerability was discovered in, steps to reproduce, and patches if known.

If possible, please sign and/or encrypt the email with OpenPGP. My key's fingerprint is:

pub   4096R/86AE8D98 2012-04-11
      Key fingerprint = 42E2 C8DE 8C17 3AB1 02F5  2C6E 7E60 A3A6 86AE 8D98

This key is available on the major keyservers, as well as my Launchpad page. Please verify the web of trust for this key before deciding whether to trust it.

Responsible Disclosure

I strive for responsible disclosure, with the expectation that all legitimate vulnerability reports will be made public once they have been successfully mitigated. While I have no specific stated timelines for public disclosure, I will work with security reporters to determine a mutually agreed upon timeline and process.

Acknowledgements

Vulnerability reporters will likely be given public acknowledgement for their contributions, though this cannot be guaranteed in exceptional circumstances.

Bounties

I do not offer a bug bounty program and do not pay for vulnerability reports.