@@ -5,11 +5,138 @@ parent: Best Practices
55Security Best Practices
66=======================
77
8- This document is a placeholder. Some topics we will want to remember to cover:
8+ Project Security Policy
9+ -----------------------
10+
11+ All ASWF projects should enable GitHub Security Advisories on their
12+ repos, from the "Security" tab.
13+
14+ All ASWF projects should also publish a security policy in
15+ SECURITY.md. It should contain:
16+
17+ 1 . A message indicating GitHub Security Advisories are the preferred
18+ mechanism for reporting vulnerabilities privately. If your project
19+ also maintains a "security@<project >.com" email, mention that as a
20+ secure forum for communicating with the project maintainers.
21+
22+ 2 . A statement about reponse expectations, something like:
23+
24+ Our policy is to acknowledge the receipt of vulnerability
25+ reports within 48 hours. Our policy is to address critical
26+ security vulnerabilities rapidly and post patches within 14
27+ days if possible.
28+
29+ 3 . A list of known vulnerabilties, identifing affected versions and
30+ patched versions, with links to CVE records at https://www.cve.org/ .
31+
32+ Vulnerability Reporting and Response
33+ ------------------------------------
34+
35+ What to do when your project receives a GitHub Security Advisory:
36+
37+ 1 . The first step is to acknowledge receipt of the report in the
38+ comments.
39+
40+ 2 . Add other maintainers as collaborators, using the sidebar. GitHub
41+ Security Advisory pages are not publicly visible until
42+ published (the last step), and depending on the repo configuration,
43+ the report may be visible only to repo owners/maintainers.
44+
45+ 3 . Decide whether to reject the report as invalid. Read it and
46+ determine if it is a legitimate flaw or otherwise worthy of
47+ discussion with the reporter. Some reasons to reject:
48+
49+ a. It's blatantly invalid. OpenEXR once got a report of a
50+ vulnerability in MaterialX, clearly a mistake on the reporter's
51+ part.
52+
53+ b. The bug is actually in a dependent library. OpenEXR has gotten
54+ reports of vulnerabilities in OpenJPH, which it uses.
55+
56+ c. It's a known "feature", not a "bug". OpenEXR sometimes gets
57+ reports of "out-of-memory" faults from an extremely large image
58+ from very small file, which is not inherently a flaw in the
59+ library, as it's the responsibility of the host application to
60+ guard against these faults, not the OpenEXR library.
61+
62+ In all cases, explain your reasoning clearly in the comments, and
63+ give the reporter time to rebut your conclusion.
64+
65+ Don't reject the immediately unless it is obviously invalid. You
66+ can always reject it later if further analysis determines that it's
67+ not really a vulnerability.
68+
69+ Don't quibble with the reporter about how exploitable a
70+ vulnerability is. If it's a legitimate bug, fix it, even if it's
71+ the most obscure of edge cases.
72+
73+ 4 . Accept the Security Advisory, using the green button.
74+
75+ 5 . Decide if you want to work in a temporary private fork. This allows
76+ you to collaborate in private, but at the overhead expense of an
77+ additional fork of the repo. Choose this option only if the
78+ vulnerability seems especially egregious and exploitable. If it's a
79+ garden-variety bug, following the conventional development process
80+ in your personal fork is perfectly acceptable.
81+
82+ 6 . Fix the bug.
83+
84+ 7 . Request a CVE, as soon as you are confident the flaw is legitimate
85+ and fixable. It can take a day or so for GitHub to respond with a
86+ reserved identifier. Once they respond, the CVE id will appear in
87+ the right sidebar. This is the public identifier for this
88+ vulnerability.
89+
90+ Once requested, a CVE id cannot be deleted or released, so don't
91+ request the identifier unless you're sure you'll need it.
92+
93+ 8 . Submit a PR. Mention the CVE in the PR description or
94+ comments:
95+
96+ "Addresses CVE-2026-34589".
97+
98+ Mention the PR in the GitHub Security Advisory comments so the
99+ reporter is aware. It's OK to mention the CVE by name because at
100+ this point, the details of the vulernability are not yet npublic.
101+ The CVE number is simply a reserved public identifier with no
102+ associated information.
103+
104+ 9 . Add a reference to the CVE in your project SECURITY.md.
105+
106+ 10 . Make a patch release. Mention the CVE in the release notes.
107+
108+ CVEs do not have standard title fields, but to give context to the
109+ change, you can use the title of the associated GitHub Security
110+ Advisory:
111+
112+ * [CVE-2026-34589](https://www.cve.org/CVERecord?id=CVE-2026-34589) DWA Lossy Decoder Heap Out-of-Bounds Write
113+
114+ Backport the fix to previous minor releases as your project
115+ security policy dictates.
116+
117+ 11 . On the GitHub Security Advisory page, fill in the "Affected
118+ versions" and "Patched versions" fields. Click the "Edit advisory"
119+ button in the upper right corner of the page to edit the fields.
120+ In the "Affected versions" field, entire a comma-separated list of
121+ version ranges, or and "x":
122+
123+ 2.x, 3.0.0-3.0.6, 3.1.0-3.1.9
124+
125+ Note that it's insufficient to only indicate which release the fix
126+ is in. You also need to indicate which previous releases also
127+ contain the vulnerability. Admittedly, this is often not trivial
128+ to determine.
129+
130+ 12 . Once the patched release is out, publish the Security Advisory
131+ (green button at the bottom of the page). This makes the page
132+ public, and it also populates the page at https://www.cve.org with
133+ the relevant information.
134+
135+ TODO
136+ ----
137+
138+ Additional topics to cover here:
9139- Signed releases
10140- Specify GHA actions and dependency checkouts by SHA commit, not version
11141- See testing best practices for: static analysis, dynamic analysis, fuzzing
12- - Setting up a security policy
13- - How to respond to security reports
14- - CVEs
15142- Security audits and how to interact with those teams
0 commit comments