A guide to security vulnerabilities and best practices

[mocoso]

It would be really useful to have a guide to indicate best practices for

a) Users of gems who spot security vulnerabilities on how to report issues and...

b) ...gem maintainers on how to distribute information about new releases they have made to their gems to fix security vulnerabilities.

[bf4]

Do you have any thoughts on the matter? There is now a security page where this information may fit http://guides.rubygems.org/security

[bf4]

This issue should be moved to a mailing list, no? Or to rubysec/ruby-advisory-db#64

[drbrain]

I think these best practices should be included on guides.rubygems.org with pointers to rubysec/ruby-advisory-db for a place for authors to report vulnerabilities in their published gems.

[bf4]

@drbrain But someone has to make up the guidelines and a how-to-post and distribute advisories :)

1. How does one report gem security issues to an author/rubygems.org/rubysec and
2. How should a gem author should publicize the gem security release. (very few seem to [ANN] on ruby-lang or check it)

[mocoso]

@bf4 the reason I originally raised this issue was was that I was trying to find out what best practice in this area was and could not find good guidance. When I asked on the London Ruby User Group (my local group) mailing list no one else seemed to know either.

It seems to me that the easier we can make this i.e. here is a clear guide to follow which tells you who to contact and what to tell them the more likely it is that people will report issues.

Even writing something as brief as:

1. To report a security issue with someone else's gem

   Contact the author(s) privately (i.e. not via a pull request or issue on public project) explaining the issue, how it can be exploited and ideally offering an indication of how it might be fixed.

2. To report a security issue with your own gem

   2.1 OSVDB: email moderators@osvdb.org and/or message @osvdb on GitHub or Twitter.
   2.1 Request a CVE from oss-sec mailing list or reserve a CVE from MITRE.

3. To tell people about a patched version of your gem

   [ANN] on ruby-lang

Would be an improvement on where we are now. Over time each of these sections could be expanded and clarified or link off to guides to these particular actions elsewhere.

[bf4]

@mocoso why don't you add the some of your previous comment in a PR?

[drbrain]

Closing this due to the security page added in #89