Proposed security disclosure policy

steveklabnik · 2015-05-13T23:11:01.299Z

Having a good discussion with Jacobian about the “no predisclosure” aspect here: https://twitter.com/jacobian/status/598625875102289920

Django’s policy here: https://docs.djangoproject.com/en/1.8/internals/security/#who-receives-advance-notification

nrc · 2015-05-13T23:15:29.643Z

Looks good, a few nits:

you might want to change hours/days to working hours/days - I imagine a bug report on Friday evening might (reasonably) not get attention until Monday morning.

How are security bugs tracked? Presumably they won’t be in public GH issues. Who has access to security bugs?

Fixes are prepared for all releases which are still under maintenance

Sounds too strict to me. I imagine for any security bug there is a trade-off between negative effects and effort/risk to fix. Some will not justify pushing to release, I’d have thought.

No one outside the security team and the initial reporter will be notified prior to the lifting of the embargo

This sounds wrong, unless the security team is larger than I am expecting. In particular the person fixing the bug might not be on the security team or people outside that team will have useful input to how to fix the bug or the severity of it.

steveklabnik · 2015-05-13T23:24:26.172Z

Good nits, @nrc

you might want to change hours/days to working hours/days

Yeah, this is a good point. I know I personally would consider it to be just days, but depending on who is actually on the team, working days may be better.

How are security bugs tracked? Presumably they won’t be in public GH issues. Who has access to security bugs?

The individuals who monitor said list have access, as effectively, the emails are the tracking. We’re expecting to address these issues right away, rather than have them sit around for a long time. A compiler operates quite differently than a project like Firefox. We’ll see, though.

Sounds too strict to me.

I can’t actually remember, but last I remember, we’re not explicitly maintaing previous releases of Rust yet. Since 1.x releases are a drop-in upgrade, we expect the vast majority of users to be on the latest. That said, obviously it won’t be 100%, and there’s lots to consider here.

This sounds wrong, unless the security team is larger than I am expecting.

See the above Twitter thread with Jacobian for a good argument for having some sort of pre-disclosure list. I chose no disclosure at first because it’s not even clear that we will have any candidates for pre-disclosure for a while, as the usual suspects are people like Linux distros. I’m not categorially opposed to a pre-disclosure list, but starting off simpler seems prudent, or at least, that’s my line of thinking.

nrc · 2015-05-13T23:34:22.976Z

steveklabnik:

Since 1.x releases are a drop-in upgrade, we expect the vast majority of users to be on the latest.

I imagine that some security bugs might be minor enough that they only warrant fixing on nightlies or beta, rather than pushing every one to release. Perhaps you are thinking that these would not be classes as ‘official security bugs’? Which makes me thing that maybe we should be explicit about having a way to say that the reported bug is not actually a security issue? The current proposal seems to imply that every reported bug will be treated as real.

steveklabnik:

This sounds wrong, unless the security team is larger than I am expecting.

I was thinking of developers within the Rust community rather than users of Rust here. I’m assuming that not everyone who contributes to Rust will be on the security team, but that sometimes their (as in any given contributor) input might be wanted.

erickt · 2015-05-14T01:11:07.128Z

Do we have an rfc on how many old versions of rust we are maintaining? I couldn’t find one. Closest I got was 507 and this thread but neither mention it.

jruderman · 2015-05-14T01:41:28.735Z

Which bugs are severe enough that they should be hidden from the public (and might be eligible for a future bug bounty)?

For rustc and std:

Would the Leakpocalypse qualify? It violated Rust’s memory safety guarantees but wasn’t likely to affect applications.
On the other hand, what about libraries whose incorrect output leads to application vulnerabilities?

For servers:

Which servers, and which kinds of bugs, are in scope?
When should researchers feel comfortable testing live sites, and when should they set up their own instances? (Example policy)

bstrie · 2015-05-14T03:58:25.265Z

I’d say that Leakpocalypse qualifies. A soundness violation means that you’ve erased Rust’s primary selling point, which is the guarantee that non-unsafe code will be memory-safe. It’s easy to imagine people relying on that quality for the security of their application, even if an exploit is as contrived in practice as Leakpocalypse.

wycats · 2015-05-14T05:19:51.237Z

The Ember security policy includes no predisclosure because Ember isn’t shipped with any distribution that may want to include package manager updates as soon as the vulnerability is announced.

In contrast, Ruby on Rails announces the vulnerability to distros@openwall 72 hours before the public announcement.

In Rust’s case, I think it makes sense to notify distros@openwall, since Rust is pretty likely to start getting packaged in at least some distributions pretty soon.

Manishearth · 2015-05-14T06:36:31.859Z

steveklabnik:

Since 1.x releases are a drop-in upgrade

Modulo UFCS?

In case of really severe issues where an exploit could be easily crafted, I suggest pushing out to older releases too.

sigma · 2015-05-14T08:07:34.671Z

I think we’d probably need some classification system. Say: “Critical, Important, Moderate, Minor”.

If a bug is posted to the sec list and it’s triaged as Minor or “Not a security issue” it could be punted to the public issue tracker.

If it’s Critical the patch might need pushed back onto some number of previous releases so that distros like debian who’ll probably have ancient versions in their repositories can patch.

What to do with the middle categories I’m not so sure.

bascule · 2015-05-14T08:29:55.351Z

I find this cliche rather tiring:

We take security very seriously

Here’s a crack at something different:

“Safety is one of the core principles of Rust, and to that end, we would like to ensure that Rust is a secure language.”

Re:

All security bugs in the Rust distribution should be reported by email to security@rust-lang.org

Perhaps encourage (but do not require) people to GPG encrypt messages sent to this list.

arielb1 · 2015-05-14T10:32:05.103Z

I don’t think it’s right to handle soundness issues via this process, at least at this stage. rustc’s code isn’t particularly robust, so there are probably many of them - at this stage I really really won’t trust rustc to contain malicious safe-Rust code, and some soundness issues require a significant amount of effort to fix and/or break significant amounts of code.

Until we get much better on that front, I would prefer that only issues that can cause vulnerabilities in application code (e.g. some library function not performing bounds checking in some cases) be reported via the security process.

arielb1 · 2015-05-14T10:33:42.053Z

I mean, I really wouldn’t want the Leakpocalypse to be handled privately.

steveklabnik · 2015-05-14T13:33:15.382Z

jruderman:

Which bugs are severe enough that they should be hidden from the public (and might be eligible for a future bug bounty)?

One thing that I meant to mention is that I’d prefer to decide which bugs count for this policy an RFC, to be kicked off last week. We need the mechanics of reporting in place for 1.0, and we can refine the guideline on what to report over a slightly longer timeframe.

steveklabnik · 2015-05-14T13:33:29.872Z

erickt:

Do we have an rfc on how many old versions of rust we are maintaining?

I do not believe so right now, no.

steveklabnik · 2015-05-14T13:35:43.309Z

bascule:

Perhaps encourage (but do not require) people to GPG encrypt messages sent to this list.

It says it in the last paragraph:

If you would like, you can encrypt your report using our public key.

alfie · 2015-05-14T14:08:15.107Z

- delivered to small security team + delivered to a small security team

alfie · 2015-05-14T14:16:53.098Z

steveklabnik:

The Rust project has a 5 step disclosure policy. …

I would bullet point these five steps, rather than keep them in a single (wordy) paragraph.

Other than that, looks good. +1

Manishearth · 2015-05-14T17:46:03.976Z

The Leakpocalypse could have been handled privately by immediately destabilizing scoped and suggesting people stop using it. (which is more or less what happened anyway, minus the private ness)

Then after some time make it public and come up with a real solutoon.

steveklabnik · 2015-05-15T15:08:27.298Z

Thank you everyone! I have a PR here: https://github.com/rust-lang/rust-www/pull/123

I believe that I’ve addressed everything that’s come up. Please let me know how this looks!