Re: [Edm] Highlighting how to report vulnerabilities
Tommy Pauly <tpauly@apple.com> Tue, 11 April 2023 15:20 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: edm@ietfa.amsl.com
Delivered-To: edm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B992C152567 for <edm@ietfa.amsl.com>; Tue, 11 Apr 2023 08:20:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D05vjUlIatfz for <edm@ietfa.amsl.com>; Tue, 11 Apr 2023 08:20:42 -0700 (PDT)
Received: from ma-mailsvcp-mx-lapp02.apple.com (ma-mailsvcp-mx-lapp02.apple.com [17.32.222.23]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66F2CC1524DC for <edm@iab.org>; Tue, 11 Apr 2023 08:20:42 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp04.rno.apple.com (rn-mailsvcp-mta-lapp04.rno.apple.com [10.225.203.152]) by ma-mailsvcp-mx-lapp02.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RSY00CZBIMCM200@ma-mailsvcp-mx-lapp02.apple.com> for edm@iab.org; Tue, 11 Apr 2023 08:20:41 -0700 (PDT)
X-Proofpoint-ORIG-GUID: IhS7ln1fzZZpu6WPpHvCneEJBl3HEpLS
X-Proofpoint-GUID: IhS7ln1fzZZpu6WPpHvCneEJBl3HEpLS
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.942 definitions=2023-04-11_10:2023-04-11, 2023-04-11 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 suspectscore=0 adultscore=0 mlxscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304110140
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=TODqA0REnFhddLumjfvY7k55vyz5Ld788oHWfDj7lg8=; b=mods4MaLg/b1ZUC5AlXGJv0tq7FhmlnU8TxHIpKNVsapMewo4BvkjhBITB2oepJHXfDz a6dwi9yy+XOXGvsov6Q3GepzgdJ0XbbWqT/0HPsbwoadPoVS+5lptpvvqcUGjIDa2VkO am5lwVBKskugj1cngfZaG9cCd2aXtbknmc0Tc8BPJu2DXCfqMgfcGPzHebMeTtDsLJ2/ HxeFdiZOteIvRO21ChWV38vmLSsvlE9kNVZsW2Nppua3Vd7+e8K8OkfekO9emYEM7LFG ydsgfafn/vjbhMmf805STQovBH4oFw49I6mnRUh1O6aiGTewLpje8JBzxB8UVmyJtudi 0A==
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RSY0115DIMCR960@rn-mailsvcp-mta-lapp04.rno.apple.com>; Tue, 11 Apr 2023 08:20:36 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) id <0RSY00U00ILMIA00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Tue, 11 Apr 2023 08:20:36 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 7c41845d202abaa5133654699ccc487a
X-Va-E-CD: 6afc75187c180d7f97f23b93bbc4a5f6
X-Va-R-CD: a730a39f19e087e2c773efe91d9c1e35
X-Va-ID: 9a411290-eab4-4d1b-b4af-6b41fa4b6e86
X-Va-CD: 0
X-V-A:
X-V-T-CD: 7c41845d202abaa5133654699ccc487a
X-V-E-CD: 6afc75187c180d7f97f23b93bbc4a5f6
X-V-R-CD: a730a39f19e087e2c773efe91d9c1e35
X-V-ID: db099096-3f97-4e57-b895-d36710630465
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.942 definitions=2023-04-11_10:2023-04-11, 2023-04-11 signatures=0
Received: from smtpclient.apple (unknown [17.230.135.182]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPSA id <0RSY00H6FIMB0A00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Tue, 11 Apr 2023 08:20:36 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <4359618C-AFAC-4493-925E-4B28E087948B@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_276EB4ED-3E78-4912-887E-E15846E15259"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3755.100.3\))
Date: Tue, 11 Apr 2023 08:20:25 -0700
In-reply-to: <CALGR9oaCBJdpJaFjuZsgVakaF-WkxpfLDayetwKLJdCDwRK+bw@mail.gmail.com>
Cc: edm@iab.org
To: Lucas Pardue <lucaspardue.24.7@gmail.com>
References: <CALGR9oaCBJdpJaFjuZsgVakaF-WkxpfLDayetwKLJdCDwRK+bw@mail.gmail.com>
X-Mailer: Apple Mail (2.3755.100.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/edm/ARLiKWANjgOMZpZLRmDiriePrY8>
Subject: Re: [Edm] Highlighting how to report vulnerabilities
X-BeenThere: edm@iab.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Evolvability, Deployability, & Maintainability \(Proposed\) Program" <edm.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/edm>, <mailto:edm-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/edm/>
List-Post: <mailto:edm@iab.org>
List-Help: <mailto:edm-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/edm>, <mailto:edm-request@iab.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Apr 2023 15:20:46 -0000
Thanks for sharing this, Lucas! What you added to the QUIC WG website looks good. Having the list of implementations and the ways to report issues there is particularly interesting, as that goes beyond what the general IETF reporting is (which is just about the documents). I’d be curious if anyone knows how many reports the protocol vulnerabilities email alias receives; is this something that the broader security community is tracking? Best, Tommy > On Apr 6, 2023, at 12:21 PM, Lucas Pardue <lucaspardue.24.7@gmail.com> wrote: > > Hi EDM, > > QUIC has been an RFC for a while now, and we see a regular stream of research into the protocol itself, along with implementations/deployments. > > Part of the maintenance of a protocol or implementation is the ability to report discovered problems to the maintainers. In particular, vulnerabilities in either might need some sensitive handling. During IETF 116, I was made aware of the existing IETF guidance on how to report protocol vulnerabilities [1]. As noted in that text, a vulnerability in an implementation etc needs to be addressed to the appropriate maintainer and not the IETF. Each project is likely to have its own reporting guidelines. > > In order to better highlight how to report vulnerabilities, I've added a section of text on the quicwg,org landing page that gives a brief summary of things and gives pointers for expanded policies. The QUIC WG also has a GitHub wiki page of implementations, so where it was obvious I have added a link to each implementation's reporting policy. Where there wasn't a clear policy, I've encouraged implementers to think about defining one (if needed) and adding a link on the page for ease of discovery. > > My approach suits the existing method of working in the QUIC WG. Others might find that adding these sorts of pointers to the datatracker could be a good solution. And I'm sure there's other approaches I didn't think of. > > Cheers, > Lucas > > > [1] - https://www.ietf.org/standards/rfcs/vulnerabilities/ > -- > Edm mailing list > Edm@iab.org > https://www.iab.org/mailman/listinfo/edm
- [Edm] Highlighting how to report vulnerabilities Lucas Pardue
- Re: [Edm] Highlighting how to report vulnerabilit… Tommy Pauly