Document how to report security vulnerabilities

While pointing out that Twitter was not the proper communication channel to report security vulnerabilities, I've not been able to locate a procedure on how security vulnerabilities should be reported.

I've see nothing on https://www.torproject.org/about/contact.html.en and asking StartPage for "host:www.torproject.org report security vulnerability" did not turn anything up.

added component::webpages/website owner::kat5 priority::medium resolution::fixed severity::blocker status::closed type::defect labels

Quick summary of a following IRC conversation: the past approach has been for people to gpg-encrypt their mail to one of me, nickm, ioerror, or whoever else they think is the sole member of the tor project (arma). That could be documented right now.

But that's not a great approach. i guess another option is for us to create a tor-security gpg key and share it across said people (arma), so we could call it tor-security@tp.o (arma), who's "we"?, you, me, athena, mikeperry, and somebody? (nickm), works for me (arma). But it needs to not be a 'cool kids club (arma) and an explicit set of critera might be better.

For a bit of history, see #3884 (closed).

Trac:
Cc: N/A to intrigeri@boum.org

Regarding what email address to use, the following is summarized from a tor-project IRC conversation:

• Section 4 of RFC 2142 says we should reserve security@... for people to report network / infrastructure security issues.
• On the other hand, Google advertises security@google.com as the method to report software vulnerabilities as well as security incidents. See http://www.google.com/about/appsecurity/

So maybe the right thing to do is to combine both roles behind one email address (which will probably lead to more work / more hassle for us internally, but it would make things easier for outsiders).

Trac:
Cc: intrigeri@boum.org to intrigeri@boum.org, mcs

I've added a paragraph about our current approach. Creating a list is not a website issue, please reopen etc once that has been completed.

Trac:
Status: new to closed
Resolution: N/A to fixed

A tor-security list has been created, but it's not on the contact page. And neither is the key.

Trac:
Status: closed to reopened
Cc: intrigeri@boum.org, mcs to intrigeri@boum.org, mcs, dgoulet
Reviewer: N/A to N/A
Sponsor: N/A to N/A
Resolution: fixed to N/A
Severity: N/A to Blocker

Ad the very least, it should be documented here: https://trac.torproject.org/projects/tor/wiki/doc/emailLists

If someone can add the key I can update the Contact page.

As for the mailing list wiki page, I'm thinking it should it go under Administrative Lists rather than down with network-team-security@ under Encrypted Lists.

Trac:
Status: reopened to assigned
Owner: N/A to kat5

The key fingerprint for tor-security is 8B90 4624 C5A2 8654 E453 9BC2 E135 A8B4 1A7B F184. dgoulet can confirm.

Added to the mailing list wiki page.

Ready for review/merge: https://gitweb.torproject.org/user/kat/webwml.git/commit/?h=add-tor-security-list-info-to-contact

Trac:
Status: assigned to needs_review

This looks fine to me, let's get the ok from someone on the list before we merge it.

Trac:
Cc: intrigeri@boum.org, mcs, dgoulet to intrigeri@boum.org, mcs, dgoulet, arma

Looks good to me (and I happen to be on that list).

Trac:
Status: needs_review to merge_ready

hiro merged this.

Trac:
Resolution: N/A to fixed
Status: merge_ready to closed

closed

moved to tpo/web/trac#9186 (closed)