Google Git
Sign in
webkit / WebKit / refs/heads/safari-4-branch / . / WebKitSite / security / index.html
blob: 65fc536e620b4ca7afddf63cd8f92226f6057e6a [file] [log] [blame]
<?php
$title="WebKit Security Policy";
include("../header.inc");
?>
<h2>WebKit Security Policy</h2>
<h3>How To Report Security Bugs</h3>
<ol>
<li><b>Reporting an issue:</b> Start by filing a bug in the Security product in the WebKit
bug database,
at <a href="https://bugs.webkit.org">https://bugs.webkit.org</a>.
Bugs in the Security product will have special access controls
that restrict who can view and alter the bug; only members of
the WebKit Security Group and the originator will have access
to the bug.
<li><b>Scope of disclosure:</b>
If you would like to limit further dissemination of the
information in the bug report, please say so in the
bug. Otherwise the WebKit Security Group may share information
with other vendors if we find they may be affected by the same
vulnerability. The WebKit Security Group will handle the
information you provide responsibly. See the other sections of
this document for details.
<li><b>Getting feedback:</b>
We cannot guarantee a prompt human response to every security
bug filed. If you would like immediate feedback on a security
issue, or would like to discuss details with members of the
WebKit Security Group, please
email <a href="mailto:security@webkit.org">security@webkit.org</a>
and include a link to the relevant Bugzilla bug. Your message
will be acknowledged within a week at most.
<p>The current member list will be published at
<a href="security-group-members.html">http://webkit.org/security/security-group-members.html</a>.</p>
</ol>
<h3>How To Join the WebKit Security Group</h3>
<ol>
<li>
<b>Criteria:</b> Nominees for WebKit Security Group
membership should meet at least one of the following criteria:
<br>
Individuals:
<ul>
<li>
The nominee specializes in fixing WebKit security related bugs or often participates in their exploration and resolution.
<li>
The nominee has a track record of finding security vulnerabilities and responsible disclosure of those vulnerabilities.
<li>
The nominee is a web technology expert who has specific interests in knowing
about, resolving, and preventing future security
vulnerabilities.
</ul>
Vendor contacts:
<ul>
<li>
The nominee represents an organization or
company which ships products that include their own copy of
WebKit. Due to their position in the organization, the nominee has a reasonable need to know about security issues and disclosure embargoes.
</ul>
<li><b>Nomination process:</b> Anyone who feels they meet these criteria can nominate
themselves by mailing <a href="mailto:security@webkit.org">security@webkit.org</a>,
or may be nominated by a third party such as an existing
WebKit Security Group member. The nomination email should state whether the nominee is
nominated as an individual or as a vendor contact and clearly describe the grounds for nomination.
<li><b>Choosing new members:</b> If a nomination for Security
Group membership is supported by at least three existing Security
Group members (either one initial nomination and two seconds, or
in the case of self-nomination, three seconds), then it carries
within 5 business days unless an existing member of the Security Group objects.
If an objection is raised, the WebKit Security Group members should discuss
the matter and try to come to consensus; failing this, the nomination will succeed
only by majority vote of the WebKit Security Group. After a vote is called for
on the mailing list, voting will be open for 5 business days.
<li><b>Accepting membership:</b> Before new WebKit Security Group
membership is finalized, the successful nominee should accept
membership and agree to abide by this security policy,
particularly Privileges and Responsibilities of WebKit Security Group members.
<li><b>Duration of membership:</b> Vendor contacts will only remain members
as long as their position with that vendor remains the same. Individuals will remain members
indefinitely until they resign or their membership is terminated.
</ol>
<h3>Privileges and Responsibilities of WebKit Security Group Members</h3>
<ul>
<li><b>Access:</b> WebKit Security Group members will be subscribed to
a private mailing list, <a href="mailto:security@webkit.org">security@webkit.org</a>.
It will be used for technical discussions of security bugs, as well as process discussions about
matters such as disclosure timelines and group membership.
Members will also have access to all bugs in the Security product in the WebKit bug database.
<li><b>Confidentiality:</b> Members of the WebKit Security Group
will be expected to treat WebKit security vulnerability
information shared with the group as confidential until publicly
disclosed:
<ul>
<li>
Members should not disclose Security bug information to
non-members unless the member is employed by the vendor
of a WebKit based product, in which case information can be
shared within that organization on a need-to-know basis and
handled as confidential information normally is within that
organization. The one exception to this rule is that members may
share vulnerabilities with vendors of non-WebKit based products
if their product suffers from the same issue and the reporter has
not explicitly requested this not be done. The non-WebKit vendor
should be asked to respect the issue's embargo date, and to not
share the information beyond the need-to-know people within their
organization.
<li>
Members should not post any information about Security bugs in public forums.
</ul>
<li><b>Disclosure:</b> The WebKit Security Group will negotiate an
embargo date for public disclosure for each new Security bug, with a
default minimum time limit of 60 days. An embargo may be lifted
before the agreed-upon date if all vendors planning to ship a fix
have already done so, and if the reporter does not object. The
agreed-upon embargo date will be communicated to the reporter
through the bug
at <a href="https://bugs.webkit.org">https://bugs.webkit.org</a>.
</ul>
<h3>Termination of WebKit Security Group Membership</h3>
<ul>
<li>Members of the WebKit Security Group may voluntarily end their membership at any time, for any reason.
<li>Inactive members who are no longer reachable via e-mail at the address
associated with their group membership will be removed from the WebKit Security Group.
<li>A member who joined the group as a vendor contact who is no longer associated with that vendor will be
removed from the WebKit Security Group. The person may be re-nominated as an individual expert or as a vendor contact
for another organization.
<li>If a member of the WebKit Security Group does not act in
accordance with the letter and spirit of this policy, then their
WebKit Security Group membership can be revoked by a majority vote of the
members, not including the person under consideration for
revocation. After a member calls for a revocation vote on the mailing list,
voting will be open for 5 business days.
<ul>
<li><b>Emergency suspension:</b> A WebKit Security Group member who blatantly
disregards the WebKit Security Policy may have their membership
temporarily suspended on the request of any two members. In such
a case, the requesting members should notify the security mailing
list with a description of the offense. At this point, membership
will be temporarily suspended for one week, pending outcome of the
vote for permanent revocation.
</ul>
</ul>
<h3>Changes to the Policy</h3>
<p>The WebKit Security Policy may be changed in the future by rough
consensus of the WebKit Security Group. Changes to the policy will be
posted publicly.</p>
<?php
include("../footer.inc");
?>