Differences

This shows you the differences between two versions of the page.

--- mantisbt:handling_security_problems [2017/03/10 04:39] – [Once the issue has been logged] reference @mentions dregad
+++ mantisbt:handling_security_problems [2021/07/14 12:08] (current) – Must be logged in with mantisbt.org account dregad
@@ Line 10: / Line 10: @@
 If you discover a security issue or what you think could be one, please
-[[http://www.mantisbt.org/bugs/bug_report_page.php?category_id=36&view_state=50|Open a new issue]]
+[[https://mantisbt.org/bugs/bug_report_page.php?category_id=36&view_state=50|Open a new issue]]
+((You must be logged-in with your mantisbt.org account to use this link))
 in our bug tracker following the guidelines below.
@@ Line 75: / Line 76: @@
 ==== Obtaining a CVE ID ====
-Refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for the process to request a CVE ID.
+Fill the form at https://cveform.mitre.org/, following indications on the page.
-The request must include:
+  * //Vendor of the product// and //Product// should be set to **MantisBT**
+  * a couple of examples for the //Version// field:
+    - Single version: 2.1.0 and later; fixed in 2.2.1
+    - Multiple versions: 1.3.0-beta.3 through 2.2.0, fixed in 1.3.7, 2.2.1
+  * //Affected components//: the MantisBT page(s) where the problem exists
+  * //References// should include (if public) links to
+    - the MantisBT issue
+    - Github commit(s) with patches fixing the issue
-  - description of the issue, including but not limited to
+Once the form has been submitted, the system will send a confirmation e-mail with a request number; after review, MITRE's CVE assignment team will send another e-mail with the CVE ID. From experience, the CVE ID usually gets assigned within one business day.
-     * type, e.g. XSS, sql injection...
-     * which area of Mantis are affected
-     * potential consequences of exploiting the bug
-     * indication on severity
-  - affected MantisBT version(s)
-  - link to MantisBT issue
-  - optionally, information about the reporter (if available and they do not refuse to be quoted)
-  - information about the patch (i.e. where it can be found, commit SHA)
-  - optionally, attach the patch itself
-Here are a few **examples** of public CVE requests:
+Note that There are alternatives to request CVE IDs; refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for further information.
+Here are a few **examples** of public CVE requests, requested via the //oss-security Mailing List//:
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]],
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]],
@@ Line 96: / Line 97: @@
 [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]].
-From experience, the CVE ID usually gets assigned within one business day, but sometimes it takes up to a week.
+==== Reference the CVE ID ====
+Once the CVE ID has been assigned, it must be referenced in MantisBT, and used in every communication related to the security issue.
+  * MantisBT's issue tracker (**Mandatory**): prefix the issue's summary with ''CVE-YYYY-XXXX - ''
+  * in commit messages
+  * on GitHub pull requests
+  * in mailing lists discussions
+  * in announcements (e.g. release notes, blog post, twitter...)
+  * etc