Opened 7 years ago

Closed 2 years ago

#9186 closed defect (fixed)

Document how to report security vulnerabilities

Reported by: lunar Owned by: kat5
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Blocker Keywords:
Cc: intrigeri@…, mcs, dgoulet, arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


While pointing out that Twitter was not the proper communication channel to report security vulnerabilities, I've not been able to locate a procedure on how security vulnerabilities should be reported.

I've see nothing on
and asking StartPage for " report security vulnerability" did not turn anything up.

Child Tickets

Change History (16)

comment:1 Changed 7 years ago by lunar

Quick summary of a following IRC conversation: the past approach has been for people to gpg-encrypt their mail to one of me, nickm, ioerror, or whoever else they think is the sole member of the tor project (arma). That could be documented right now.

But that's not a great approach. i guess another option is for us to create a tor-security gpg key and share it across said people (arma), so we could call it tor-security@… (arma), who's "we"?, you, me, athena, mikeperry, and somebody? (nickm), works for me (arma).
But it needs to not be a 'cool kids club (arma) and an explicit set of critera might be better.

comment:2 Changed 7 years ago by runa

For a bit of history, see #3884.

comment:3 Changed 6 years ago by intrigeri

Cc: intrigeri@… added

comment:4 Changed 6 years ago by mcs

Cc: mcs added

Regarding what email address to use, the following is summarized from a tor-project IRC conversation:

  • Section 4 of RFC 2142 says we should reserve security@... for people to report network / infrastructure security issues.
  • On the other hand, Google advertises security@… as the method to report software vulnerabilities as well as security incidents. See

So maybe the right thing to do is to combine both roles behind one email address (which will probably lead to more work / more hassle for us internally, but it would make things easier for outsiders).

comment:5 Changed 5 years ago by Sebastian

Resolution: fixed
Status: newclosed

I've added a paragraph about our current approach. Creating a list is not a website issue, please reopen etc once that has been completed.

comment:6 Changed 3 years ago by teor

Cc: dgoulet added
Resolution: fixed
Severity: Blocker
Status: closedreopened

A tor-security list has been created, but it's not on the contact page. And neither is the key.

comment:7 Changed 3 years ago by teor

Ad the very least, it should be documented here:

comment:8 Changed 3 years ago by kat5

If someone can add the key I can update the Contact page.

As for the mailing list wiki page, I'm thinking it should it go under Administrative Lists rather than down with network-team-security@ under Encrypted Lists.

comment:9 Changed 3 years ago by kat5

Owner: set to kat5
Status: reopenedassigned

comment:10 Changed 3 years ago by teor

The key fingerprint for tor-security is 8B90 4624 C5A2 8654 E453 9BC2 E135 A8B4 1A7B F184.
dgoulet can confirm.

comment:11 Changed 3 years ago by kat5

comment:12 Changed 3 years ago by kat5

Status: assignedneeds_review

comment:13 Changed 3 years ago by teor

Cc: arma added

This looks fine to me, let's get the ok from someone on the list before we merge it.

comment:14 Changed 2 years ago by gk

Looks good to me (and I happen to be on that list).

comment:15 Changed 2 years ago by teor

Status: needs_reviewmerge_ready

comment:16 Changed 2 years ago by kat5

Resolution: fixed
Status: merge_readyclosed

hiro merged this.

Note: See TracTickets for help on using tickets.