This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
securitypolicy [2015/02/25 16:10] oej created |
securitypolicy [2019/02/10 20:00] henningw move page to security namespace |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ==== Security Vulnerability Policy | + | ==== Security Vulnerability Policy ==== |
References: | References: | ||
- | * https:// | + | |
+ | * [[https:// | ||
=== Definition === | === Definition === | ||
- | ??? | ||
- | A security vulnerability is when a user of Kamailio can cause Kamailio to crash or lock up by | + | A security vulnerability is (for example) |
- | sending messages to the server process. | + | |
=== Reporting a security Vulnerability === | === Reporting a security Vulnerability === | ||
- | If you believe there' | + | If you believe there' |
- | Send e-mail to security@kamailio.org | + | |
- | - Send an e-mail to security@kamailio.org and include the following information | + | - Send an e-mail to **security |
* A summary | * A summary | ||
* A detailed explanation of how this issue can be exploited and/or reproduced | * A detailed explanation of how this issue can be exploited and/or reproduced | ||
- A member of the Kamailio Security Team will respond | - A member of the Kamailio Security Team will respond | ||
- | - The kamailio developer team will work to solve the issue. When there is a patch for the issue, it should NOT be committed directly. | + | - The kamailio developer team will work to solve the issue. |
+ | - When there is a patch for the issue, it should NOT be committed directly | ||
=== Publishing security vulnerabilities === | === Publishing security vulnerabilities === | ||
- | Kamailio will publish security vulnerabilities, | + | Kamailio will publish security vulnerabilities, |
- | kamailio-announce | + | |
- | also be published on the kamailio.org web site. | + | CVE entries should be created for vulnerabilities in the core and major modules, for rarely used modules this is not necessary. If there are several security issues together in one release, they should be announced together. |
+ | |||
+ | The Kamailio project release security fixed in the normal time based maintenance schedule, no immediate security releases are done. If possible a non-code workaround should be provided for the found security vulnerability. | ||
+ | |||
+ | === Timeline of the security process === | ||
+ | |||
+ | - Initial acknowledge time to the reporting party for a report about a new security issue for a new report: 3 working days | ||
+ | - Time for verification and bug fix from Kamailio development: | ||
+ | - Waiting time for public announcement after the fix is in an official release: 2 months | ||
+ | - Project preparation time for kamailio.org announcement: | ||
=== Kamailio Security Team === | === Kamailio Security Team === | ||
- | A Kamailio Security team should be appointed with core developers of the project. These individuals will be part of the security process and review patches and text for the vulnerability report. | + | A Kamailio Security team is appointed with core developers of the project. These individuals will be part of the security process and review patches and text for the vulnerability report. |
- | === security@kamailio.org | + | === PGP encryption |
- | This address should have a PGP key associated, used by the security officers. | + | The address |