User Tools

  • Logged in as: anonymous (anonymous)
  • Log Out

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
mantisbt:handling_security_problems [2017/03/10 04:39]
dregad [Once the issue has been logged] reference @mentions
mantisbt:handling_security_problems [2017/03/10 07:34] (current)
dregad Add "Reference the CVE" section
Line 75: Line 75:
 ==== Obtaining a CVE ID ==== ==== Obtaining a CVE ID ====
-Refer to Kurt Seifried's [[|CVE HowTo]] for the process to request a CVE ID.+Fill the form at, following indications on the page.
-The request must include:+  * //Vendor of the product// and //Product// should be set to **MantisBT** 
 +  * a couple of examples for the //Version// field 
 +    - Single version: 2.1.0 and later; fixed in 2.2.1 
 +    - Multiple versions: 1.3.0-beta.3 through 2.2.0, fixed in 1.3.7, 2.2.1 
 +  * //Affected components//: the MantisBT page(s) where the problem exists 
 +  * //References// should include (if public) links to 
 +    - the MantisBT issue  
 +    - Github commit(s) with patches fixing the issue
-  - description of the issue, including but not limited to +Once the form has been submittedthe system will send a confirmation e-mail with a request number; after reviewMITRE'CVE assignment team will send another e-mail with the CVE IDFrom experience, the CVE ID usually gets assigned within one business day.
-     * type, e.g. XSSsql injection... +
-     * which area of Mantis are affected +
-     * potential consequences of exploiting the bug +
-     * indication on severity +
-  - affected MantisBT version(s+
-  link to MantisBT issue +
-  - optionally, information about the reporter (if available and they do not refuse to be quoted) +
-  - information about the patch (i.e. where it can be found, commit SHA) +
-  - optionallyattach the patch itself+
-Here are a few **examples** of public CVE requests: +Note that There are alternatives to request CVE IDs; refer to Kurt Seifried's [[|CVE HowTo]] for further information. 
 +Here are a few **examples** of public CVE requests, requested via the //oss-security Mailing List//
 [[|1]],  [[|1]], 
 [[|2]],  [[|2]], 
Line 96: Line 96:
 [[|4]].  [[|4]]. 
-From experience, the CVE ID usually gets assigned within one business daybut sometimes it takes up to a week.+==== Reference the CVE ID ==== 
 +Once the CVE ID has been assigned, it must be referenced in MantisBT, and used in every communication related to the security issue
 +  * MantisBT's issue tracker (**Mandatory**): prefix the issue's summary with ''CVE-YYYY-XXXX - ''
 +  * in commit messages
 +  * on GitHub pull requests
 +  * in mailing lists discussions
 +  * in announcements (e.g. release notes, blog post, twitter...)
 +  * etc
mantisbt/handling_security_problems.1489138765.txt.gz · Last modified: 2017/03/10 04:39 by dregad