[Edm] Highlighting how to report vulnerabilities
Lucas Pardue <lucaspardue.24.7@gmail.com> Thu, 06 April 2023 19:21 UTC
Return-Path: <lucaspardue.24.7@gmail.com>
X-Original-To: edm@ietfa.amsl.com
Delivered-To: edm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F404C151B33 for <edm@ietfa.amsl.com>; Thu, 6 Apr 2023 12:21:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.844
X-Spam-Level:
X-Spam-Status: No, score=-1.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yg-JqLsRumfI for <edm@ietfa.amsl.com>; Thu, 6 Apr 2023 12:21:51 -0700 (PDT)
Received: from mail-oa1-x2d.google.com (mail-oa1-x2d.google.com [IPv6:2001:4860:4864:20::2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6E99C152A22 for <edm@iab.org>; Thu, 6 Apr 2023 12:21:51 -0700 (PDT)
Received: by mail-oa1-x2d.google.com with SMTP id 586e51a60fabf-17786581fe1so43453748fac.10 for <edm@iab.org>; Thu, 06 Apr 2023 12:21:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680808910; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=y3ak2TTpLrdA9AlgtuX0pA5QQz5qiel3QppUn0S/6vs=; b=TKUjF2qCG6zwiE1C+GeaXaVvhbK6ViIK2ze2GQFn/yMB/jMHGkyZ0T58iX+RjaXU02 k7sQJLcoVDagXtFxAjfdvuGasCgtrnz6QBTWzAbb8Ts7UDtzMBmeHplgbM0rMRBop6y6 yvz4mwmBrcKWg2jmpKiv6gS7oPbBUaXyLrMWGD9m6MiouWosj0U2g5ajuWvvn0XOCLxm 0Q2ZqPBW4jua0YNfeYFo0uVdCZt7tMZZSNtFv3mxvpKe754AfK8JhZuho1ro44OgS07f ozK6aGL5I7FKcfYc2m8hxC5NXlelPIUWpJ1dyfXisUX0fH9/p4l9M+4Y2zJMfe64/SKN OxgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680808910; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=y3ak2TTpLrdA9AlgtuX0pA5QQz5qiel3QppUn0S/6vs=; b=uzgMqBqgxiMe9e+b43F63dkiZQYH7/7yVrkDbpwYtVPt/nb0POMbFs/PRrb6Jn6qfl T7gXUHyG8Q9lzBGHjdkYaGwJ3y2vBh5PsotINQMv1uX1xVmDFi5rJosC/yZQ46mmnBEk AJcs4T8R3Ny6s5wPf6APioWntWKz+/uAhzJ+4PCZx4blGBEPiu2LJ/C/aLmeaJrgybzw qCAUCI9kL5ijb4hk1VYc0CcUKyAvCfrVI29DRC1MrQuHDQ6FKQtFuKcUAcsL/Hil9a8T jJbU6qcoe5LIGVmtBqUFVACuhFKWsB7ui3B613M62biNhAkeKXIP6dq6erssHWyTGRfB Ar4g==
X-Gm-Message-State: AAQBX9cvuw+XEJTwz8+qHrs2lPLTbqnPJ1AENOEEtWGw/EKVuNtGUbL4 AzPmKcAXMqIWITq+V9ZkPWYCPbyatXy4m6+MsAuOKqYKx1c=
X-Google-Smtp-Source: AKy350b4fmrmCBBfMNEtKz/wSZIiToG/3e7K5GVTo/H+ZrpsDsg4oDib29G/2AX4/lXarvBUpWFIAKN2Ci78msbUiY0=
X-Received: by 2002:a05:6870:1114:b0:177:9150:e7ba with SMTP id 20-20020a056870111400b001779150e7bamr187262oaf.3.1680808910443; Thu, 06 Apr 2023 12:21:50 -0700 (PDT)
MIME-Version: 1.0
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Thu, 06 Apr 2023 20:21:39 +0100
Message-ID: <CALGR9oaCBJdpJaFjuZsgVakaF-WkxpfLDayetwKLJdCDwRK+bw@mail.gmail.com>
To: edm@iab.org
Content-Type: multipart/alternative; boundary="0000000000000ad8aa05f8afd20d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/edm/AVhxHjDXjKQRa3-AG0d_PhwFF3c>
Subject: [Edm] Highlighting how to report vulnerabilities
X-BeenThere: edm@iab.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Evolvability, Deployability, & Maintainability \(Proposed\) Program" <edm.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/edm>, <mailto:edm-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/edm/>
List-Post: <mailto:edm@iab.org>
List-Help: <mailto:edm-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/edm>, <mailto:edm-request@iab.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2023 19:21:55 -0000
Hi EDM, QUIC has been an RFC for a while now, and we see a regular stream of research into the protocol itself, along with implementations/deployments. Part of the maintenance of a protocol or implementation is the ability to report discovered problems to the maintainers. In particular, vulnerabilities in either might need some sensitive handling. During IETF 116, I was made aware of the existing IETF guidance on how to report protocol vulnerabilities [1]. As noted in that text, a vulnerability in an implementation etc needs to be addressed to the appropriate maintainer and not the IETF. Each project is likely to have its own reporting guidelines. In order to better highlight how to report vulnerabilities, I've added a section of text on the quicwg,org landing page that gives a brief summary of things and gives pointers for expanded policies. The QUIC WG also has a GitHub wiki page of implementations, so where it was obvious I have added a link to each implementation's reporting policy. Where there wasn't a clear policy, I've encouraged implementers to think about defining one (if needed) and adding a link on the page for ease of discovery. My approach suits the existing method of working in the QUIC WG. Others might find that adding these sorts of pointers to the datatracker could be a good solution. And I'm sure there's other approaches I didn't think of. Cheers, Lucas [1] - https://www.ietf.org/standards/rfcs/vulnerabilities/
- [Edm] Highlighting how to report vulnerabilities Lucas Pardue
- Re: [Edm] Highlighting how to report vulnerabilit… Tommy Pauly