advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

Clarification requested about 'versions' section

Open ckaran opened this issue 5 years ago • 2 comments

The template file has the following section in it, which is marked as being mandatory.

# Versions which include fixes for this vulnerability (mandatory)
[versions]
patched = [">= 1.2.0"]

How do we disclose vulnerabilities that haven't yet been patched? I'm specifically thinking of all of the following cases:

  • You discover a serious security hole that can be temporarily worked around by changing firewall settings, or disabling an optional feature.
  • You've wrapped an external library (e.g. C/C++) and it has the vulnerability, which you're now exposing to your users. You don't have control over the wrapped library, so all you can do is warn the users about it.
  • You discover that your public API is buggy, but can't change it without forcing a major update. Instead of rushing to a new API, you choose to disclose the fact that the current API is buggy so that users avoid the buggy parts while you design a better API.

If this section were optional, then the assumption could be that the vulnerability has not yet been patched. Alternatively, you may wish to update the template (and possibly the code) to permit an empty list, which indicates that it hasn't yet been patched.

ckaran avatar May 05 '20 12:05 ckaran

Use

[versions]
patched = []

tarcieri avatar May 05 '20 13:05 tarcieri

Sounds good, can you update the documentation in the template to explain that?

ckaran avatar May 05 '20 13:05 ckaran