WebsiteBaker Community Forum

WebsiteBaker => Security Announcements => Topic started by: FrankH on September 04, 2009, 08:13:11 PM

Title: Template for publishing security patches
Post by: FrankH on September 04, 2009, 08:13:11 PM
Some day (hopefully in the near future) we will have some forms on a page where you can report security related issues around WebsiteBaker.

For instance, when you are a module developer and found an issue with your module which makes it exploitable, you probably want to publish a patch as soon as it is available. This is what this board is for. But you can't write directly to this group, you need to report it to the Security Team (still seeking for members, by the way) first.
So until the web page for reporting issues is ready, please fill out the folowing template and send it to me by PM, together with links for downloading the patched and the vulnerable version of your module. This is because we will not publish unexamined messages in this board.

In the following template I did add some remarks to explain what is expected in each field.

Template for publishing security patches

Module:        
Name of the module

Patched Version:    
Version number of the patch you want to publish

Download Link:    
preferably link to the AMSP page of the module

Risk level:        
High, middle, or low

Risks:            
Name the risk group, like "code execution", "information disclosure", and so on

Description:        
Short description, do not give as much information as is necessary to exploit the hole on unpatched sites!

Suggestions:        
Describe whatever is necessary to fix the issue, for instance "Upgrade to version xxx as soon as possible"

Forum links:        
There is no discussion allowed in this group of the forum, because it is for announcements only. Therefore it is a good idea to link to forum threads discussing the module, may be in different languages if available.

Acknowledgement:    
If someone reported the bug to you, you can say thanks here