1# curl vulnerability disclosure policy 2 3This document describes how security vulnerabilities are handled in the curl 4project. 5 6## Publishing Information 7 8All known and public curl or libcurl related vulnerabilities are listed on 9[the curl website security page](https://curl.se/docs/security.html). 10 11Security vulnerabilities **should not** be entered in the project's public bug 12tracker. 13 14## Vulnerability Handling 15 16The typical process for handling a new security vulnerability is as follows. 17 18No information should be made public about a vulnerability until it is 19formally announced at the end of this process. That means, for example, that a 20bug tracker entry must NOT be created to track the issue since that will make 21the issue public and it should not be discussed on any of the project's public 22mailing lists. Messages associated with any commits should not make any 23reference to the security nature of the commit if done prior to the public 24announcement. 25 26- The person discovering the issue, the reporter, reports the vulnerability on 27 [HackerOne](https://hackerone.com/curl). Issues filed there reach a handful 28 of selected and trusted people. 29 30- Messages that do not relate to the reporting or managing of an undisclosed 31 security vulnerability in curl or libcurl are ignored and no further action 32 is required. 33 34- A person in the security team responds to the original report to acknowledge 35 that a human has seen the report. 36 37- The security team investigates the report and either rejects it or accepts 38 it. See below for examples of problems that are not considered 39 vulnerabilities. 40 41- If the report is rejected, the team writes to the reporter to explain why. 42 43- If the report is accepted, the team writes to the reporter to let them 44 know it is accepted and that they are working on a fix. 45 46- The security team discusses the problem, works out a fix, considers the 47 impact of the problem and suggests a release schedule. This discussion 48 should involve the reporter as much as possible. 49 50- The release of the information should be "as soon as possible" and is most 51 often synchronized with an upcoming release that contains the fix. If the 52 reporter, or anyone else involved, thinks the next planned release is too 53 far away, then a separate earlier release should be considered. 54 55- Write a security advisory draft about the problem that explains what the 56 problem is, its impact, which versions it affects, solutions or workarounds, 57 when the release is out and make sure to credit all contributors properly. 58 Figure out the CWE (Common Weakness Enumeration) number for the flaw. See 59 [SECURITY-ADVISORY](https://curl.se/dev/advisory.html) for help on creating 60 the advisory. 61 62- Request a CVE number from HackerOne 63 64- Update the "security advisory" with the CVE number. 65 66- The security team commits the fix in a private branch. The commit message 67 should ideally contain the CVE number. If the severity level of the issue is 68 set to Low or Medium, the fix is allowed to get merged into the master 69 repository via a normal PR - but without mentioning it being a security 70 vulnerability. 71 72- The monetary reward part of the bug-bounty is managed by the Internet Bug 73 Bounty team and the reporter is asked to request the reward from them after 74 the issue has been completely handled and published by curl. 75 76- No more than 10 days before release, inform 77 [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) 78 to prepare them about the upcoming public security vulnerability 79 announcement - attach the advisory draft for information with CVE and 80 current patch. 'distros' does not accept an embargo longer than 14 days and 81 they do not care for Windows-specific flaws. 82 83- No more than 48 hours before the release, the private branch is merged into 84 the master branch and pushed. Once pushed, the information is accessible to 85 the public and the actual release should follow suit immediately afterwards. 86 The time between the push and the release is used for final tests and 87 reviews. 88 89- The project team creates a release that includes the fix. 90 91- The project team announces the release and the vulnerability to the world in 92 the same manner we always announce releases. It gets sent to the 93 curl-announce, curl-library and curl-users mailing lists. 94 95- The security webpage on the website should get the new vulnerability 96 mentioned. 97 98## security (at curl dot se) 99 100This is a private mailing list for discussions on and about curl security 101issues. 102 103Who is on this list? There are a couple of criteria you must meet, and then we 104might ask you to join the list or you can ask to join it. It really is not a 105formal process. We basically only require that you have a long-term presence 106in the curl project and you have shown an understanding for the project and 107its way of working. You must have been around for a good while and you should 108have no plans of vanishing in the near future. 109 110We do not make the list of participants public mostly because it tends to vary 111somewhat over time and a list somewhere will only risk getting outdated. 112 113## Publishing Security Advisories 114 1151. Write up the security advisory, using markdown syntax. Use the same 116 subtitles as last time to maintain consistency. 117 1182. Name the advisory file after the allocated CVE id. 119 1203. Add a line on the top of the array in `curl-www/docs/vuln.pm`. 121 1224. Put the new advisory markdown file in the `curl-www/docs/` directory. Add it 123 to the git repository. 124 1255. Run `make` in your local web checkout and verify that things look fine. 126 1276. On security advisory release day, push the changes on the curl-www 128 repository's remote master branch. 129 130## HackerOne 131 132Request the issue to be disclosed. If there are sensitive details present in 133the report and discussion, those should be redacted from the disclosure. The 134default policy is to disclose as much as possible as soon as the vulnerability 135has been published. 136 137## Bug Bounty 138 139See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the 140bug bounty program. 141 142# Severity levels 143 144The curl project's security team rates security problems using four severity 145levels depending how serious we consider the problem to be. We use **Low**, 146**Medium**, **High** and **Critical**. We refrain from using numerical scoring 147of vulnerabilities. 148 149When deciding severity level on a particular issue, we take all the factors 150into account: attack vector, attack complexity, required privileges, necessary 151build configuration, protocols involved, platform specifics and also what 152effects a possible exploit or trigger of the issue can lead do, including 153confidentiality, integrity or availability problems. 154 155## Low 156 157This is a security problem that is truly hard or unlikely to exploit or 158trigger. Due to timing, platform requirements or the fact that options or 159protocols involved are rare etc. [Past 160example](https://curl.se/docs/CVE-2022-43552.html) 161 162## Medium 163 164This is a security problem that is less hard than **Low** to exploit or 165trigger. Less strict timing, wider platforms availability or involving more 166widely used options or protocols. A problem that usually needs something else 167to also happen to become serious. [Past 168example](https://curl.se/docs/CVE-2022-32206.html) 169 170## High 171 172This issue in itself a serious problem with real world impact. Flaws that can 173easily compromise the confidentiality, integrity or availability of resources. 174Exploiting or triggering this problem is not hard. [Past 175example](https://curl.se/docs/CVE-2019-3822.html) 176 177## Critical 178 179Easily exploitable by a remote unauthenticated attacker and lead to system 180compromise (arbitrary code execution) without requiring user interaction, with 181a common configuration on a popular platform. This issue has few restrictions 182and requirements and can be exploited easily using most curl configurations. 183[Past example](https://curl.se/docs/CVE-2000-0973.html) 184 185# Not security issues 186 187This is an incomplete list of issues that are not considered vulnerabilities. 188 189## Small memory leaks 190 191We do not consider a small memory leak a security problem; even if the amount 192of allocated memory grows by a small amount every now and then. Long-living 193applications and services already need to have counter-measures and deal with 194growing memory usage, be it leaks or just increased use. A small memory or 195resource leak is then expected to *not* cause a security problem. 196 197Of course there can be a discussion if a leak is small or not. A large leak 198can be considered a security problem due to the DOS risk. If leaked memory 199contains sensitive data it might also qualify as a security problem. 200 201## Never-ending transfers 202 203We do not consider flaws that cause a transfer to never end to be a security 204problem. There are already several benign and likely reasons for transfers to 205stall and never end, so applications that cannot deal with never-ending 206transfers already need to have counter-measures established. 207 208If the problem avoids the regular counter-measures when it causes a never- 209ending transfer, it might be a security problem. 210 211## Not practically possible 212 213If the flaw or vulnerability cannot practically get executed on existing 214hardware it is not a security problem. 215 216## API misuse 217 218If a reported issue only triggers by an application using the API in a way 219that is not documented to work or even documented to not work, it is probably 220not going to be considered a security problem. We only guarantee secure and 221proper functionality when the APIs are used as expected and documented. 222 223There can be a discussion about what the documentation actually means and how 224to interpret the text, which might end up with us still agreeing that it is a 225security problem. 226 227## Local attackers already present 228 229When an issue can only be attacked or misused by an attacker present on the 230local system or network, the bar is raised. If a local user wrongfully has 231elevated rights on your system enough to attack curl, they can probably 232already do much worse harm and the problem is not really in curl. 233 234## Experiments 235 236Vulnerabilities in features which are off by default (in the build) and 237documented as experimental, are not eligible for a reward and we do not 238consider them security problems. 239 240## URL inconsistencies 241 242URL parser inconsistencies between browsers and curl are expected and are not 243considered security vulnerabilities. The WHATWG URL Specification and RFC 2443986+ (the plus meaning that it is an extended version) [are not completely 245interoperable](https://github.com/bagder/docs/blob/master/URL-interop.md). 246 247Obvious parser bugs can still be vulnerabilities of course. 248 249## Visible command line arguments 250 251The curl command blanks the contents of a number of command line arguments to 252prevent them from appearing in process listings. It does not blank all 253arguments even if some of them that are not blanked might contain sensitive 254data. We consider this functionality a best-effort and omissions are not 255security vulnerabilities. 256 257 - not all systems allow the arguments to be blanked in the first place 258 - since curl blanks the argument itself they will be readable for a short 259 moment no matter what 260 - virtually every argument can contain sensitive data, depending on use 261 - blanking all arguments would make it impractical for users to differentiate 262 curl command lines in process listings 263 264## Busy-loops 265 266Busy-loops that consume 100% CPU time but eventually end (perhaps due to a set 267timeout value or otherwise) are not considered security problems. Applications 268are supposed to already handle situations when the transfer loop legitimately 269consumes 100% CPU time, so while a prolonged such busy-loop is a nasty bug, we 270do not consider it a security problem. 271 272## Saving files 273 274curl cannot protect against attacks where an attacker has write access to the 275same directory where curl is directed to save files. 276 277## Tricking a user to run a command line 278 279A creative, misleading or funny looking command line is not a security 280problem. The curl command line tool takes options and URLs on the command line 281and if an attacker can trick the user to run a specifically crafted curl 282command line, all bets are off. Such an attacker can just as well have the 283user run a much worse command that can do something fatal (like 284`sudo rm -rf /`). 285 286## Terminal output and escape sequences 287 288Content that is transferred from a server and gets displayed in a terminal by 289curl may contain escape sequences or use other tricks to fool the user. This 290is curl working as designed and is not a curl security problem. Escape 291sequences, moving cursor, changing color etc, is also frequently used for 292good. To reduce the risk of getting fooled, save files and browse them after 293download using a display method that minimizes risks. 294