Opened 5 years ago

Closed 2 years ago

#13966 closed task (fixed)

Publish guidelines for reporting exploits

Reported by: michael Owned by:
Priority: High Milestone: Tor: 0.3.1.x-final
Component: Core Tor/Tor Version: Tor: 0.2.7
Severity: Normal Keywords: Exploit, security, response, documentation, wiki, 027-triaged-1-in, tor-doc-process, isaremoved, tor-03-unspecified-201612
Cc: Actual Points:
Parent ID: Points: 3
Reviewer: Sponsor: SponsorU-can

Description

There exists no easy to find documentation (on the wiki nor elsewhere) that advises how to report a suspected Tor (proxy, browser, bundle, transport...) exploit. And no search on keyservers shows up a 'security' key for a tor-sec@… or similar account.

A blueprint for working this task could be: Just figure out how we've been handling exploit reporting in the past (tor-assistants@ maybe?) and make sure it's a consensus, and write it down in the wiki.

Child Tickets

Change History (24)

comment:1 Changed 5 years ago by nickm

On the short term: if this is the position you're in now, find the name of the person who is maintaining that component, find their PGP key, and send them an encrypted email. And do it again if you haven't heard back from them in a day or two.

Longer-term: Yes, we should document this! And maybe even have an alias and key for the purpose.

comment:2 in reply to:  1 Changed 5 years ago by michael

Replying to nickm:

On the short term: if this is the position you're in now, find the name of the person who is maintaining that component, find their PGP key, and send them an encrypted email. And do it again if you haven't heard back from them in a day or two.

Right, and Core Tor People is a good place to start.

Longer-term: Yes, we should document this! And maybe even have an alias and key for the purpose.

About whether to assign an alias or real person, it might be useful examining the FreeBSD project's security policies. Rather than reinventing the wheel, that is.

comment:3 Changed 5 years ago by nickm

Milestone: Tor: 0.2.7.x-final

comment:4 Changed 5 years ago by nickm

Status: newassigned

comment:5 Changed 4 years ago by nickm

Keywords: 027-triaged-1-in added

Marking more tickets as triaged-in for 0.2.7

comment:6 Changed 4 years ago by isabela

Keywords: SponsorU added
Points: medium
Priority: normalmajor
Version: Tor: 0.2.7

comment:7 Changed 4 years ago by nickm

Keywords: TorCoreTeam201507 added

comment:8 Changed 4 years ago by nickm

Owner: set to nickm

comment:9 Changed 4 years ago by nickm

I've started a draft of this. Next steps:

  • circulating it for initial comment.
  • Asking everybody on tor-internal whether it's something we can live with
  • Cleaning up the text to be maximally clear and diplomatic
  • Sticking it under some kind of CC license.
  • Putting it out for public comment
Last edited 4 years ago by nickm (previous) (diff)

comment:10 Changed 4 years ago by nickm

Keywords: TorCoreTeam201508 added; TorCoreTeam201507 removed

comment:11 Changed 4 years ago by nickm

Keywords: TorCoreTeam201509 added; TorCoreTeam201508 removed
Milestone: Tor: 0.2.7.x-finalTor: 0.2.???

comment:12 Changed 4 years ago by nickm

Milestone: Tor: 0.2.???Tor: 0.2.8.x-final

comment:13 Changed 4 years ago by nickm

Keywords: SponsorU removed
Sponsor: SponsorU

Bulk-replace SponsorU keyword with SponsorU field.

comment:14 Changed 4 years ago by nickm

Milestone: Tor: 0.2.8.x-finalTor: 0.2.9.x-final

These seem like features, or like other stuff unlikely to be possible this month. Bumping them to 0.2.9

comment:15 Changed 4 years ago by isabela

Sponsor: SponsorUSponsorU-can

comment:16 Changed 3 years ago by nickm

Keywords: TorCoreTeam201509 removed

Removing TorCoreTeam201509 from these tickets, since we do not own a time machine.

comment:17 Changed 3 years ago by nickm

Keywords: tor-doc-process added

comment:18 Changed 3 years ago by isabela

Points: medium3

comment:19 Changed 3 years ago by nickm

Owner: nickm deleted

by no means sure that I can get to these.

comment:20 Changed 3 years ago by nickm

Status: assignednew

Put all unowned "assigned" tickets back into "new".

comment:21 Changed 3 years ago by isabela

Keywords: isaremoved added
Milestone: Tor: 0.2.9.x-finalTor: 0.2.???

comment:22 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:23 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:24 Changed 2 years ago by nickm

Milestone: Tor: unspecifiedTor: 0.3.1.x-final
Resolution: fixed
Severity: Normal
Status: newclosed
Note: See TracTickets for help on using tickets.