Changeset 33589 in project


Ignore:
Timestamp:
08/19/16 20:43:05 (4 years ago)
Author:
sjamaan
Message:

Summary: Fix a few spelling mistakes and change http: to https: where possible. Thanks to Sander Bos for reporting these.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • wiki/security

    r32901 r33589  
    1010The documentation below describes the typical stages in the reporting
    1111and resolution of security issues.  It relies heavily on the idea of
    12 [[http://en.wikipedia.org/wiki/Responsible_disclosure|responsible disclosure]],
     12[[https://en.wikipedia.org/wiki/Responsible_disclosure|responsible disclosure]],
    1313which is a ''constructive and ethical'' approach towards security issues.
    1414It involves an equal amount of responsibility on the part of the
     
    2929This involves keeping you in the loop about our progress and
    3030publishing a detailed security advisory with information about the
    31 bug.  Being open about issues ensures that adminstrators can make an
     31bug.  Being open about issues ensures that administrators can make an
    3232informed decision about whether they're affected and whether to roll
    3333out a patch on all their systems, and it allows others to learn from
     
    3535
    3636If everyone follows these rules, bugs still get fixed quickly and
    37 people can learn from eachother, leading to a higher level of security
    38 awareness.
     37people can learn from each other, leading to a higher level of
     38security awareness.
    3939
    4040=== Finding an issue and collecting info
     
    4242Whenever you believe you've found a security issue, please ensure that
    4343it's present in the latest ''stable'' release.  The latest stable
    44 release has either a {{x.y.0}} or {{x.y.0.z}} version number and
    45 should be mentioned on the main [[http://www.call-cc.org|web site]] or
    46 the [[http://code.call-cc.org|code sub site]] as being the latest release.
     44release has either an {{x.y.0}} or {{x.y.0.z}} version number and
     45should be mentioned on the main [[https://www.call-cc.org|web site]] or
     46the [[https://code.call-cc.org|code sub site]] as being the latest release.
    4747
    4848If you find a security issue in an older version which is not present
     
    8181slack ;)
    8282
    83 This address corresponds to a moderated mailinglist, so your mail
     83This address corresponds to a moderated mailing list, so your mail
    8484might get stuck in a moderation queue.  If you don't receive a reply
    8585within 2 or 3 days, please contact one or two core members directly or
     
    121121of requesting a [[https://cve.mitre.org/about/index.html|CVE]]
    122122identifier unless you already got one assigned.  Once assigned, the
    123 CVE identifier will be posted to the mailinglist in a follow-up.
     123CVE identifier will be posted to the mailing list in a follow-up.
    124124The CVE-request will be sent to
    125 [[http://oss-security.openwall.org/wiki/mailing-lists/oss-security|the oss-security mailinglist]],
     125[[http://oss-security.openwall.org/wiki/mailing-lists/oss-security|the oss-security mailing list]],
    126126with a short description of the issue and a link to the advisory from the
    127 [[http://lists.nongnu.org/archive/html/chicken-users/|chicken-users archive]].
     127[[https://lists.nongnu.org/archive/html/chicken-users/|chicken-users archive]].
    128128
    129129Depending on the complexity of the fix and the security impact of the
     
    139139
    140140'''Rationale''': When many people are relying on the stability and
    141 security of a system, there exists some tension.  On one hand, we want
    142 to make sure security issues get fixed in a release version as soon as
    143 possible so that everyone can secure their system.  On the other hand,
    144 we don't want to break anyone's critical systems.  This means any
    145 security fixes must be released soon but ideally they are well-tested
    146 before doing so.  Of course, the longer you wait the higher the
    147 chances the bug will be exploited in the wild.
     141security of a system, there exists some tension.  On the one hand, we
     142want to make sure security issues get fixed in a release version as
     143soon as possible so that everyone can secure their system.  On the
     144other hand, we don't want to break anyone's critical systems.  This
     145means any security fixes must be released soon but ideally they are
     146well-tested before doing so.  Of course, the longer you wait the
     147higher the chances the bug will be exploited in the wild.
    148148
    149149We will always give credit to encourage people from sharing their
    150150findings with us in the future.  We will also try to include detailed
    151151information about vulnerabilities to inform others, to increase the
    152 overall state of security in field of software.
     152overall state of security in the field of software.
    153153
    154154=== Keeping advised about security issues
Note: See TracChangeset for help on using the changeset viewer.