mantisbt:handling_security_problems
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
mantisbt:handling_security_problems [2017/03/10 04:39] – [Once the issue has been logged] reference @mentions dregad | mantisbt:handling_security_problems [2017/03/10 07:34] – Add "Reference the CVE" section dregad | ||
---|---|---|---|
Line 75: | Line 75: | ||
==== Obtaining a CVE ID ==== | ==== Obtaining a CVE ID ==== | ||
- | Refer to Kurt Seifried' | + | Fill the form at https://cveform.mitre.org/, following indications on the page. |
- | The request must include: | + | * //Vendor of the product// and //Product// should be set to **MantisBT** |
+ | * a couple of examples for the //Version// field: | ||
+ | - Single version: 2.1.0 and later; fixed in 2.2.1 | ||
+ | - Multiple versions: 1.3.0-beta.3 through 2.2.0, fixed in 1.3.7, 2.2.1 | ||
+ | * //Affected components//: | ||
+ | * // | ||
+ | - the MantisBT issue | ||
+ | - Github commit(s) with patches fixing the issue | ||
- | - description of the issue, including but not limited to | + | Once the form has been submitted, the system will send a confirmation |
- | * type, e.g. XSS, sql injection... | + | |
- | * which area of Mantis are affected | + | |
- | * potential consequences of exploiting the bug | + | |
- | * indication on severity | + | |
- | - affected MantisBT version(s) | + | |
- | | + | |
- | - optionally, information about the reporter (if available and they do not refuse to be quoted) | + | |
- | - information about the patch (i.e. where it can be found, commit SHA) | + | |
- | - optionally, attach | + | |
- | Here are a few **examples** of public CVE requests: | + | Note that There are alternatives to request CVE IDs; refer to Kurt Seifried' |
+ | |||
+ | Here are a few **examples** of public CVE requests, requested via the // | ||
[[http:// | [[http:// | ||
[[http:// | [[http:// | ||
Line 96: | Line 96: | ||
[[http:// | [[http:// | ||
- | From experience, | + | ==== Reference |
+ | |||
+ | Once the CVE ID has been assigned, it must be referenced in MantisBT, and used in every communication related | ||
+ | * MantisBT' | ||
+ | * in commit messages | ||
+ | * on GitHub pull requests | ||
+ | * in mailing lists discussions | ||
+ | * in announcements (e.g. release notes, blog post, twitter...) | ||
+ | * etc | ||
mantisbt/handling_security_problems.txt · Last modified: 2021/07/14 12:08 by dregad