diff options
author | Andrew Gerrand <adg@golang.org> | 2015-08-27 15:40:46 +1000 |
---|---|---|
committer | Chris Broadfoot <cbro@golang.org> | 2015-09-03 03:17:16 +0000 |
commit | a1350a1f7b8d7c5eb8117941bb77708836411b3c (patch) | |
tree | 194324766d281ea31ec96300b4199c7d7a7f486a | |
parent | 00dbc5a54849f4b07f3742d50a76b073ed62c220 (diff) | |
download | go-a1350a1f7b8d7c5eb8117941bb77708836411b3c.tar.gz go-a1350a1f7b8d7c5eb8117941bb77708836411b3c.zip |
[release-branch.go1.5] doc: add Go Security Policy document
Bring in the text from the proposal (with minor edits):
https://github.com/golang/proposal/blob/master/design/11502-securitypolicy.md
Fixes #11502
Change-Id: I92a987be66a0df60c1fad6c6c79f89bd8e9c12a8
Reviewed-on: https://go-review.googlesource.com/13955
Reviewed-by: Jason Buberel <jbuberel@google.com>
Reviewed-on: https://go-review.googlesource.com/14224
Reviewed-by: Andrew Gerrand <adg@golang.org>
-rw-r--r-- | doc/contrib.html | 4 | ||||
-rw-r--r-- | doc/security.html | 174 |
2 files changed, 177 insertions, 1 deletions
diff --git a/doc/contrib.html b/doc/contrib.html index 48390353d1..f5f6f68b5c 100644 --- a/doc/contrib.html +++ b/doc/contrib.html @@ -93,7 +93,9 @@ We pride ourselves on being meticulous; no issue is too small. </p> <p> -Sensitive security-related issues should be reported to <a href="mailto:security@golang.org">security@golang.org</a>. +Security-related issues should be reported to +<a href="mailto:security@golang.org">security@golang.org</a>. +See the <a href="/security">security policy</a> for more details. </p> <h3><a href="/doc/contribute.html">Contributing code</a></h3> diff --git a/doc/security.html b/doc/security.html new file mode 100644 index 0000000000..1879ccfa60 --- /dev/null +++ b/doc/security.html @@ -0,0 +1,174 @@ +<!--{ + "Title": "Go Security Policy", + "Path": "/security", + "Template": true +}--> + +<h2>Implementation</h2> + +<h3>Reporting a Security Bug</h3> + +<p> +Please report to us any issues you find. +This document explains how to do that and what to expect in return. +</p> + +<p> +All security bugs in the Go distribution should be reported by email to +<a href="mailto:security@golang.org">security@golang.org</a>. +This mail is delivered to a small security team. +Your email will be acknowledged within 24 hours, and you'll receive a more +detailed response to your email within 72 hours indicating the next steps in +handling your report. +If you would like, you can encrypt your report using our PGP key (listed below). +</p> + +<p> +Please use a descriptive subject line for your report email. +After the initial reply to your report, the security team will endeavor to keep +you informed of the progress being made towards a fix and full announcement. +These updates will be sent at least every five days. +In reality, this is more likely to be every 24-48 hours. +</p> + +<p> +If you have not received a reply to your email within 48 hours or you have not +heard from the security team for the past five days please contact the Go +security team directly: +</p> + +<ul> +<li>Primary security coordinator: <a href="mailto:adg@golang.org">Andrew Gerrand</a> (<a href="https://drive.google.com/a/google.com/file/d/0B42ZAZN5yFufRldybEVNandRN2c/view">public key</a>).</li> +<li>Secondary coordinator: <a href="mailto:agl@golang.org">Adam Langley</a> (<a href="https://www.imperialviolet.org/key.asc">public key</a>).</li> +<li>If you receive no response, mail <a href="mailto:golang-dev@googlegroups.com">golang-dev@googlegroups.com</a> or use the <a href="https://groups.google.com/forum/#!forum/golang-dev">golang-dev web interface</a>.</li> +</ul> + +<p> +Please note that golang-dev is a public discussion forum. +When escalating on this list, please do not disclose the details of the issue. +Simply state that you're trying to reach a member of the security team. +</p> + +<h3>Flagging Existing Issues as Security-related</h3> + +<p> +If you believe that an <a href="https://golang.org/issue">existing issue</a> +is security-related, we ask that you send an email to +<a href="mailto:security@golang.org">security@golang.org</a>. +The email should include the issue ID and a short description of why it should +be handled according to this security policy. +</p> + +<h3>Disclosure Process</h3> + +<p>The Go project uses the following disclosure process:</p> + +<ol> +<li>Once the security report is received it is assigned a primary handler. +This person coordinates the fix and release process.</li> +<li>The issue is confirmed and a list of affected software is determined.</li> +<li>Code is audited to find any potential similar problems.</li> +<li>If it is determined, in consultation with the submitter, that a CVE-ID is +required, the primary handler obtains one via email to +<a href="http://oss-security.openwall.org/wiki/mailing-lists/distros">oss-distros</a>.</li> +<li>Fixes are prepared for the current stable release and the head/master +revision. These fixes are not yet committed to the public repository.</li> +<li>A notification is sent to the +<a href="https://groups.google.com/group/golang-announce">golang-announce</a> +mailing list to give users time to prepare their systems for the update.</li> +<li>Three working days following this notification, the fixes are applied to +the <a href="https://go.googlesource.com/go">public repository</a> and a new +Go release is issued.</li> +<li>On the date that the fixes are applied, announcements are sent to +<a href="https://groups.google.com/group/golang-announce">golang-announce</a>, +<a href="https://groups.google.com/group/golang-dev">golang-dev</a>, and +<a href="https://groups.google.com/group/golang-nuts">golang-nuts</a>. +</ol> + +<p> +This process can take some time, especially when coordination is required with +maintainers of other projects. Every effort will be made to handle the bug in +as timely a manner as possible, however it's important that we follow the +process described above to ensure that disclosures are handled consistently. +</p> + +<p> +For security issues that include the assignment of a CVE-ID, +the issue is listed publicly under the +<a href="https://www.cvedetails.com/vulnerability-list/vendor_id-14185/Golang.html">"Golang" product on the CVEDetails website</a> +as well as the +<a href="https://web.nvd.nist.gov/view/vuln/search">National Vulnerability Disclosure site</a>. +</p> + +<h3>Receiving Security Updates</h3> + +<p> +The best way to receive security announcements is to subscribe to the +<a href="https://groups.google.com/forum/#!forum/golang-announce">golang-announce</a> +mailing list. Any messages pertaining to a security issue will be prefixed +with <code>[security]</code>. +</p> + +<h3>Comments on This Policy</h3> + +<p> +If you have any suggestions to improve this policy, please send an email to +<a href="mailto:golang-dev@golang.org">golang-dev@golang.org</a> for discussion. +</p> + +<h3>PGP Key for <a href="mailto:security@golang.org">security@golang.org</a></h3> + +<pre> +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: GPGTools - https://gpgtools.org + +mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te ++fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT +J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L +ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75 +8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3 +oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc +7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF +X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN +JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk +xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE +0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB +tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCPQQTAQoA +JwUCVcjWHQIbAwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRA6RtGR +eVpYOLnDD/9YVTd6DTwdJq6irVfM/ICPlPTXB0JLERqCI1Veptcp56eQoJ0XWGQp +tkGlgbvmCzFo0B+65Te7YA4R3oyBCXd6JgyWQQPy5p60FHyuuCPVAReclSWyt9f2 +Yj/u4DjghKhELOvPiI96egcU3g9jrEEcPjm7JYkc9M2gVSNOnnJvcD7wpQJNCzon +51eMZ1ZyfA5UCBTa0SaT9eXg5zwNlYQnB6ZF6TjXezkhLqlTsBuHxoNVf+9vCC0o +ZKIM2ovptMx9eEguTDKWaQ7tero7Zs/q5fwk/MDzM/LGJ9aXy2RCtqBxv46vDS7G +fCNq+aPD/wyFd6hxQkvkua6hgZwYT+cJWHYA2Yv0LO3BYOJdjfc+j2hjv+mC9lF0 +UpWhCVJv3hHoFaxnz62GdROzf2wXz6aR9Saj1rYSvqT9jC20VInxqMufXNN2sbpo +Kyk6MTbAeepphQpfAWQv+ltWgBiEjuFxYdwv/vmw20996JV7O8nqkeCUW84B6su+ +Y3bbdP9o3DBtOT0j9LTB/FucmdNCNHoO+EnNBKJd6FoYTGLWi3Rq9DLx2V9tdJHo +Bn67dymcl+iyp337HJNY+qS+KCgoqAWlxkzXRiXKb/yluhXdIkqhg4kL8JPAJvfS +cs7Zn67Mx04ixJnRMYCDmxtD4xPsFMzM7g8m3PQp+nE7WhujM/ImM7kCDQRVyNYd +ARAAlw9H/1ybQs4K3XKA1joII16rta9KS7ew76+agXo0jeSRwMEQfItOxYvfhmo8 ++ydn5TWsTbifGU8L3+EBTMRRyzWhbaGO0Wizw7BTVJ7n5JW+ndPrcUpp/ilUk6AU +VxaO/8/R+9+VJZpoeoLHXYloFGNuX58GLIy1jSBvLsLl/Ki5IOrHvD1GK6TftOl5 +j8IPC1LSBrwGJO803x7wUdQP/tsKN/QPR8pnBntrEgrQFSI+Q3qrCvVMmXnBlYum +jfOBt8pKMgB9/ix+HWN8piQNQiJxD+XjEM6XwUmQqIR7y5GINKWgundCmtYIzVgY +9p2Br6UPrTJi12LfKv5s2R6NnxFHv/ad29CpPTeLJRsSqFfqBL969BCpj/isXmQE +m4FtziZidARXo12KiGAnPF9otirNHp4+8hwNB3scf7cI53y8nZivO9cwI7BoClY6 +ZIabjDcJxjK+24emoz3mJ5SHpZpQLSb9o8GbLLfXOq+4uzEX2A30fhrtsQb/x0GM +4v3EU1aP2mjuksyYbgldtY64tD35wqAA9mVl5Ux+g1HoUBvLw0h+lzwh370NJw// +ITvBQVUtDMB96rfIP4fL5pYl5pmRz+vsuJ0iXzm05qBgKfSqO7To9SWxQPdX89R4 +u0/XVAlw0Ak9Zceq3W96vseEUTR3aoZCMIPiwfcDaq60rWUAEQEAAYkCJQQYAQoA +DwUCVcjWHQIbDAUJB4YfgAAKCRA6RtGReVpYOEg/EADZcIYw4q1jAbDkDy3LQG07 +AR8QmLp/RDp72RKbCSIYyvyXEnmrhUg98lUG676qTH+Y7dlEX107dLhFuKEYyV8D +ZalrFQO/3WpLWdIAmWrj/wq14qii1rgmy96Nh3EqG3CS50HEMGkW1llRx2rgBvGl +pgoTcwOfT+h8s0HlZdIS/cv2wXqwPgMWr1PIk3as1fu1OH8n/BjeGQQnNJEaoBV7 +El2C/hz3oqf2uYQ1QvpU23F1NrstekxukO8o2Y/fqsgMJqAiNJApUCl/dNhK+W57 +iicjvPirUQk8MUVEHXKhWIzYxon6aEUTx+xyNMBpRJIZlJ61FxtnZhoPiAFtXVPb ++95BRJA9npidlVFjqz9QDK/4NSnJ3KaERR9tTDcvq4zqT22Z1Ai5gWQKqogTz5Mk +F+nZwVizW0yi33id9qDpAuApp8o6AiyH5Ql1Bo23bvqS2lMrXPIS/QmPPsA76CBs +lYjQwwz8abUD1pPdzyYtMKZUMwhicSFOHFDM4oQN16k2KJuntuih8BKVDCzIOq+E +KHyeh1BqWplUtFh1ckxZlXW9p9F7TsWjtfcKaY8hkX0Cr4uVjwAFIjLcAxk67ROe +huEb3Gt+lwJz6aNnZUU87ukMAxRVR2LL0btdxgc6z8spl66GXro/LUkXmAdyOEMV +UDrmjf9pr7o00hC7lCHFzw== +=WE0r +-----END PGP PUBLIC KEY BLOCK----- +</pre> |