Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft security policy #2163

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Draft security policy #2163

wants to merge 1 commit into from

Conversation

djc
Copy link
Collaborator

@djc djc commented Mar 1, 2024

Fixes #2159.

@djc djc requested a review from bluejekyll March 1, 2024 10:23
@djc djc mentioned this pull request Mar 1, 2024
Open
marcus0x62
marcus0x62 reviewed Mar 1, 2024
View reviewed changes
SECURITY.md
## Reporting a Vulnerability

Please report security bugs [via GitHub](https://github.com/hickory-dns/hickory-dns/security/advisories/new).

Copy link
Contributor

@marcus0x62 marcus0x62 Mar 1, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to include a statement here reminding people to not use public issues or PRs to report security issues and also a statement that Hickory doesn't offer a bug bounty at this time.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I agree with this.

@pspacek
Copy link

pspacek commented Mar 1, 2024
edited

Speaking from experience with other DNS projects, you might want to mention e.g.:

  • if it affects multiple implementations tell us upfront - it requires multi-party coordination and sometimes reporters kinda forget to mention it unless asked explicitly
  • maybe you will want to have some statue of limitations, documented security assumptions etc. as an example see https://bind9.readthedocs.io/en/latest/chapter7.html

For starters, I'm not sure if DNSSEC validation and related features are fully supported (in the political sense) and if misvalidations should be reported as security bugs.

@bluejekyll
Copy link
Member

I'm not sure if DNSSEC validation and related features are fully supported

This is currently true, but we are going to be getting better here, so it's worth having a statement on it. I think the bigger question is on response time. I don't thin we are able to guarantee a rapid response to security issues in general, and DNSSEC is more complex than most other issues and could require longer turn around to fix.

@marcus0x62
Copy link
Contributor

I'm not sure if DNSSEC validation and related features are fully supported

This is currently true, but we are going to be getting better here, so it's worth having a statement on it. I think the bigger question is on response time. I don't thin we are able to guarantee a rapid response to security issues in general, and DNSSEC is more complex than most other issues and could require longer turn around to fix.

I think the only definite time frames should be acknowledgement and initial response time frames - which could be several days (Node, for instance, has a 5 day response time,) with a time frame to deliver a fix and coordinate disclosure with the researcher to be worked out on a case-by-case basis.

Maybe something like this:

Please report vulnerabilities via GitHub security advisories. The Hickory DNS team will make every effort to respond to vulnerability disclosures within 96 hours. After initial triage, we will work with the reporting researcher on a disclosure time-frame and mutually agreeable embargo date, taking into account the work needed to:

  • Identify affected versions
  • Develop and test appropriate fix(es)
  • Coordinate response with other DNS vendors (if necessary.)

bluejekyll
bluejekyll reviewed Mar 2, 2024
View reviewed changes
SECURITY.md

| Version | Supported |
| -------- | --------------------------- |
| 0.24.x | :white_check_mark: |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than explicitly stating versions, should we instead talk about "current version" and "previous versions"?

@djc
Copy link
Collaborator Author

djc commented Mar 4, 2024

@bluejekyll feel free to take over this branch, I'm not sure I will have much time to work on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bluejekyll bluejekyll bluejekyll left review comments

@marcus0x62 marcus0x62 marcus0x62 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Missing point of contact for security issues
4 participants
@djc @pspacek @bluejekyll @marcus0x62