|
| 1 | +Python Security Response Team (PSRT) |
| 2 | +==================================== |
| 3 | + |
| 4 | +The Python Security Response Team (PSRT) is responsible for handling |
| 5 | +vulnerability reports for CPython and pip. |
| 6 | + |
| 7 | +Vulnerability report triage |
| 8 | +--------------------------- |
| 9 | + |
| 10 | +Vulnerability reports are sent to one of two locations, |
| 11 | +the long-standing ``security@python.org`` mailing list |
| 12 | +or using the private vulnerability reporting feature |
| 13 | +of GitHub Security Advisories (GHSA). |
| 14 | + |
| 15 | +For reports sent to ``security@python.org``, a PSRT admin |
| 16 | +will triage the report and if the report seems plausible |
| 17 | +(that is, not spam and for the correct project) will reply with |
| 18 | +instructions on how to report the vulnerability on GitHub. |
| 19 | + |
| 20 | +If the reporter doesn't want to use GitHub's Security Advisories feature |
| 21 | +then the PSRT admins can create a draft report on behalf of the reporter. |
| 22 | + |
| 23 | +Coordinating a vulnerability report |
| 24 | +----------------------------------- |
| 25 | + |
| 26 | +Each report will have a member of the PSRT assigned as the "coordinator". |
| 27 | +The coordinator will be responsible for following the below process and |
| 28 | +will be publicly credited on vulnerability records post-publication. |
| 29 | + |
| 30 | +If a coordinator can't complete the process for any reason (time obligation, |
| 31 | +vacation, etc.) they must find a replacement coordinator in the PSRT |
| 32 | +and reassign the vulnerability report appropriately. |
| 33 | + |
| 34 | +Coordinators are expected to collaborate with other PSRT members and core developers |
| 35 | +when needed for guidance on whether the report is an actual vulnerability, |
| 36 | +severity, advisory text, and fixes. |
| 37 | + |
| 38 | +**The vulnerability coordination process is:** |
| 39 | + |
| 40 | +* Coordinator will determine whether the report constitutes a vulnerability. If the report isn't a vulnerability, |
| 41 | + the reporter should be notified appropriately. Close the GHSA report, the report can be reopened if |
| 42 | + sufficient evidence is later obtained that the report is a vulnerability. |
| 43 | + |
| 44 | +* After a vulnerability report is accepted, a Common Vulnerabilities and Exposures (CVE) ID must be assigned. If this is not done |
| 45 | + automatically, then a CVE ID can be obtained by the coordinator sending an email to ``cna@python.org``. |
| 46 | + No details about the vulnerability report need to be shared with the PSF CVE Numbering Authority (CNA) for a CVE ID to be reserved. |
| 47 | + |
| 48 | +* If the report is a vulnerability, the coordinator will determine the severity of the vulnerability. Severity is one of: |
| 49 | + **Low**, **Medium**, **High**, and **Critical**. Coordinators can use their knowledge of the code, how the code is likely used, |
| 50 | + or another mechanism like Common Vulnerability Scoring System (CVSS) for determining a severity. Add this information to the GitHub Security Advisory. |
| 51 | + |
| 52 | +* Once a CVE ID is assigned, the coordinator will share the acceptance and CVE ID with the reporter. |
| 53 | + Use this CVE ID for referencing the vulnerability. The coordinator will ask the reporter |
| 54 | + if the reporter would like to be credited publicly for the report and if so, how they would like to be credited. |
| 55 | + Add this information to the GitHub Security Advisory. |
| 56 | + |
| 57 | +* The coordinator authors the vulnerability advisory text. The advisory must include the following information: |
| 58 | + |
| 59 | + * Title should be a brief description of the vulnerability and affected component |
| 60 | + (for example, "Buffer over-read in SSLContext.set_npn_protocols()") |
| 61 | + |
| 62 | + * Short description of the vulnerability, impact, and the conditions where the affected component is vulnerable, if applicable. |
| 63 | + |
| 64 | + * Affected versions. This could be "all versions", but if the vulnerability exists in a new feature |
| 65 | + or removed feature then this could be different. Include versions that are end-of-life in this calculation |
| 66 | + (for example, "Python 3.9 and earlier", "Python 3.10 and later", "all versions of Python"). |
| 67 | + |
| 68 | + * Affected components and APIs. The module, function, class, or method must be specified so users can |
| 69 | + search their codebase for usage. For issues affecting the entire project, this can be omitted. |
| 70 | + |
| 71 | + * Mitigations for the vulnerability beyond upgrading to a patched version, if applicable. |
| 72 | + |
| 73 | + This can all be done within the GitHub Security Advisory UI for easier collaboration between reporter and coordinator. |
| 74 | + |
| 75 | +* The coordinator determines the fix approach and who will provide a patch. |
| 76 | + Some reporters are willing to provide or collaborate to create a patch, |
| 77 | + otherwise relevant core developers can be invited to collaborate by |
| 78 | + the coordinator. |
| 79 | + |
| 80 | + * For **Low** and **Medium** severity vulnerabilities it is acceptable |
| 81 | + to develop a patch in public. |
| 82 | + The pull request must be marked with the ``security`` and ``release-blocker`` |
| 83 | + labels so that a release is not created without including the patch. |
| 84 | + |
| 85 | + * For **High** and **Critical** severity vulnerabilities the patch must be |
| 86 | + developed privately using GitHub Security Advisories' "Private Forks" feature. |
| 87 | + Core developers can be added to the GitHub Security Advisory via "collaborators" |
| 88 | + to work on the fix together. Once a patch is approved privately and tested, |
| 89 | + a public issue and pull request can be created with |
| 90 | + the ``security`` and ``release-blocker`` labels. |
| 91 | + |
| 92 | +* Once the pull request is merged the advisory can be published. The coordinator will send the advisory by email |
| 93 | + to ``security-announce@python.org`` using the below template. Backport labels must be added as appropriate. |
| 94 | + After the advisory is published a CVE record can be created. |
| 95 | + |
| 96 | +Template responses |
| 97 | +------------------ |
| 98 | + |
| 99 | +These template responses should be used as guidance for messaging |
| 100 | +in various points in the process above. They are not required to be sent as-is, |
| 101 | +please feel free to adapt them as needed for the current context. |
| 102 | + |
| 103 | +**Directing to GitHub Security Advisories:** |
| 104 | + |
| 105 | +.. highlight:: none |
| 106 | + |
| 107 | +:: |
| 108 | + |
| 109 | + Thanks for submitting this report. |
| 110 | + We use GitHub Security Advisories for triaging vulnerability reports, |
| 111 | + are you able to submit your report directly to GitHub? |
| 112 | + |
| 113 | + https://github.com/python/cpython/security/advisories/new |
| 114 | + |
| 115 | + If you're unable to submit a report to GitHub (due to not having a GitHub |
| 116 | + account or something else) let me know and I will create a GitHub Security |
| 117 | + Advisory on your behalf, although you won't be able to participate directly |
| 118 | + in discussions. |
| 119 | + |
| 120 | +**Rejecting a vulnerability report:** |
| 121 | + |
| 122 | +:: |
| 123 | + |
| 124 | + Thanks for your report. We've determined that the report doesn't constitute |
| 125 | + a vulnerability. Let us know if you disagree with this determination. |
| 126 | + If you are interested in working on this further, you can optionally open a |
| 127 | + public issue on GitHub. |
| 128 | + |
| 129 | +**Accepting a vulnerability report:** |
| 130 | + |
| 131 | +:: |
| 132 | + |
| 133 | + Thanks for your report. We've determined that the report |
| 134 | + is a vulnerability. We've assigned {CVE-YYYY-XXXX} and determined |
| 135 | + a severity of {Low,Medium,High,Critical}. Let us know if you disagree |
| 136 | + with the determined severity. |
| 137 | + |
| 138 | + If you would like to be publicly credited for this vulnerability as the |
| 139 | + reporter, please indicate that, along with how you would like to be |
| 140 | + credited (name or organization). |
| 141 | + |
| 142 | + Please keep this vulnerability report private until we've published |
| 143 | + an advisory to ``security-announce@python.org``. |
| 144 | + |
| 145 | +**Advisory email:** |
| 146 | + |
| 147 | +:: |
| 148 | + |
| 149 | + Title: [{CVE-YYYY-XXXX}] {title} |
| 150 | + |
| 151 | + There is a {LOW, MEDIUM, HIGH, CRITICAL} severity vulnerability |
| 152 | + affecting {project}. |
| 153 | + |
| 154 | + {description} |
| 155 | + |
| 156 | + Please see the linked CVE ID for the latest information on |
| 157 | + affected versions: |
| 158 | + |
| 159 | + * https://www.cve.org/CVERecord?id={CVE-YYYY-XXXX} |
| 160 | + * {pull request URL} |
0 commit comments