Author Topic: Template for publishing security patches  (Read 6819 times)

Offline FrankH

  • Posts: 734
  • Gender: Male
    • Website Baker Demos
Template for publishing security patches
« on: September 04, 2009, 08:13:11 PM »
Some day (hopefully in the near future) we will have some forms on a page where you can report security related issues around WebsiteBaker.

For instance, when you are a module developer and found an issue with your module which makes it exploitable, you probably want to publish a patch as soon as it is available. This is what this board is for. But you can't write directly to this group, you need to report it to the Security Team (still seeking for members, by the way) first.
So until the web page for reporting issues is ready, please fill out the folowing template and send it to me by PM, together with links for downloading the patched and the vulnerable version of your module. This is because we will not publish unexamined messages in this board.

In the following template I did add some remarks to explain what is expected in each field.

Template for publishing security patches

Name of the module

Patched Version:    
Version number of the patch you want to publish

Download Link:    
preferably link to the AMSP page of the module

Risk level:        
High, middle, or low

Name the risk group, like "code execution", "information disclosure", and so on

Short description, do not give as much information as is necessary to exploit the hole on unpatched sites!

Describe whatever is necessary to fix the issue, for instance "Upgrade to version xxx as soon as possible"

Forum links:        
There is no discussion allowed in this group of the forum, because it is for announcements only. Therefore it is a good idea to link to forum threads discussing the module, may be in different languages if available.

If someone reported the bug to you, you can say thanks here
« Last Edit: September 04, 2009, 08:21:37 PM by FrankH »
Ochs und Esel in ihrem Lauf
halt ich leider auch nicht auf