Security Issues

This document explains how security issues affecting code in the main superdesk/web-publisher Git repository are handled by the Superdesk Publisher core team.

Reporting a Security Issue

If you think that you have found a security issue in Superdesk Publisher, don’t use the bug tracker and don’t publish it publicly. Instead, all security issues must be sent to security [at] superdesk.org. Emails sent to this address are forwarded to the Superdesk Publisher core-team private mailing list.

Resolving Process

For each report, we first try to confirm the vulnerability. When it is confirmed, the core team works on a solution following these steps:

  1. Send an acknowledgement to the reporter;
  2. Work on a patch;
  3. Write a security announcement for the official Superdesk Publisher blog about the vulnerability. This post should contain the following information:
    • a title that always include the “Security release” string;
    • a description of the vulnerability;
    • the affected versions;
    • the possible exploits;
    • how to patch/upgrade/workaround affected applications;
    • credits.
  4. Send the patch and the announcement to the reporter for review;
  5. Apply the patch to all maintained versions of Superdesk Publisher;
  6. Package new releases for all affected versions;
  7. Publish the post on the official Superdesk Publisher blog

Note

Releases that include security issues should not be made on a Saturday or Sunday, except if the vulnerability has been publicly posted.

Note

While we are working on a patch, please do not reveal the issue publicly.