Inicio Explorar Ayuda
Iniciar sesión
d3m3vilurr
/
sonyoss-vita-webkit
Seguir 1
Destacar 0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Rama: master
Ramas Etiquetas
sonyoss-vita...
/
Websites
/
webkit.org
/
security
/
index.html

index.html 8.3 KB
Permalink Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176 
  1. <?php 
    2. 

  2.     $title="WebKit Security Policy";
    3. 

  3.     include("../header.inc"); 
    4. 

  4. ?>
    5. 

  5. <h2>WebKit Security Policy</h2>
    6. 

  6. <h3>How To Report Security Bugs</h3>
    7. 

  7. <ol>
    8. 

  8.     <li><b>Reporting an issue:</b> Start by filing a bug in the Security product in the WebKit
    9. 

  9.     bug database,
    10. 

  10.     at <a href="https://bugs.webkit.org">https://bugs.webkit.org</a>.
    11. 

  11.     Bugs in the Security product will have special access controls
    12. 

  12.     that restrict who can view and alter the bug; only members of
    13. 

  13.     the WebKit Security Group and the originator will have access
    14. 

  14.     to the bug. 
    15. 

  15.     <li><b>Scope of disclosure:</b>
    16. 

  16.     If you would like to limit further dissemination of the
    17. 

  17.     information in the bug report, please say so in the
    18. 

  18.     bug. Otherwise the WebKit Security Group may share information
    19. 

  19.     with other vendors if we find they may be affected by the same
    20. 

  20.     vulnerability. The WebKit Security Group will handle the
    21. 

  21.     information you provide responsibly. See the other sections of
    22. 

  22.     this document for details.
    23. 

  23.     <li><b>Getting feedback:</b>
    24. 

  24.     We cannot guarantee a prompt human response to every security
    25. 

  25.     bug filed. If you would like immediate feedback on a security
    26. 

  26.     issue, or would like to discuss details with members of the
    27. 

  27.     WebKit Security Group, please
    28. 

  28.     email <a href="mailto:security@webkit.org">security@webkit.org</a>
    29. 

  29.     and include a link to the relevant Bugzilla bug. Your message
    30. 

  30.     will be acknowledged within a week at most. 
    31. 

  31. 

  32.     <p>The current member list will be published at 
    33. 

  33.     <a href="security-group-members.html">http://webkit.org/security/security-group-members.html</a>.</p>
    34. 

  34. </ol>
    35. 

  35. 

  36. <h3>How To Join the WebKit Security Group</h3>
    37. 

  37. 

  38. <ol>
    39. 

  39.     <li>
    40. 

  40.     <b>Criteria:</b> Nominees for WebKit Security Group
    41. 

  41.     membership should meet at least one of the following criteria:
    42. 

  42. 

  43.     <br>
    44. 

  44.     Individuals:
    45. 

  45.     <ul>
    46. 

  46.         <li>
    47. 

  47.         The nominee specializes in fixing WebKit security related bugs or often participates in their exploration and resolution.
    48. 

  48.         <li>
    49. 

  49.         The nominee has a track record of finding security vulnerabilities and responsible disclosure of those vulnerabilities.
    50. 

  50.         <li>
    51. 

  51.         The nominee is a web technology expert who has specific interests in knowing
    52. 

  52.         about, resolving, and preventing future security
    53. 

  53.         vulnerabilities.
    54. 

  54.     </ul>
    55. 

  55.     Vendor contacts:
    56. 

  56.     <ul>
    57. 

  57.         <li>
    58. 

  58.         The nominee represents an organization or
    59. 

  59.         company which ships products that include their own copy of
    60. 

  60.         WebKit. Due to their position in the organization, the nominee has a reasonable need to know about security issues and disclosure embargoes.
    61. 

  61.     </ul>
    62. 

  62. 

  63.     <li><b>Nomination process:</b> Anyone who feels they meet these criteria can nominate
    64. 

  64.     themselves by mailing <a href="mailto:security@webkit.org">security@webkit.org</a>,
    65. 

  65.     or may be nominated by a third party such as an existing
    66. 

  66.     WebKit Security Group member.  The nomination email should state whether the nominee is 
    67. 

  67.     nominated as an individual or as a vendor contact and clearly describe the grounds for nomination.
    68. 

  68. 

  69.     <li><b>Choosing new members:</b> If a nomination for Security
    70. 

  70.     Group membership is supported by at least three existing Security
    71. 

  71.     Group members (either one initial nomination and two seconds, or
    72. 

  72.     in the case of self-nomination, three seconds), then it carries
    73. 

  73.     within 5 business days unless an existing member of the Security Group objects. 
    74. 

  74.     If an objection is raised, the WebKit Security Group members should discuss
    75. 

  75.     the matter and try to come to consensus; failing this, the nomination will succeed 
    76. 

  76.     only by majority vote of the WebKit Security Group.  After a vote is called for 
    77. 

  77.     on the mailing list, voting will be open for 5 business days.
    78. 

  78. 

  79.     <li><b>Accepting membership:</b> Before new WebKit Security Group
    80. 

  80.     membership is finalized, the successful nominee should accept
    81. 

  81.     membership and agree to abide by this security policy,
    82. 

  82.     particularly Privileges and Responsibilities of WebKit Security Group members.
    83. 

  83. 

  84.     <li><b>Duration of membership:</b> Vendor contacts will only remain members
    85. 

  85.     as long as their position with that vendor remains the same.  Individuals will remain members
    86. 

  86.     indefinitely until they resign or their membership is terminated.
    87. 

  87. 

  88. </ol>
    89. 

  89. 

  90. <h3>Privileges and Responsibilities of WebKit Security Group Members</h3>
    91. 

  91. 

  92. <ul>
    93. 

  93.     <li><b>Access:</b> WebKit Security Group members will be subscribed to
    94. 

  94.     a private mailing list, <a href="mailto:security@webkit.org">security@webkit.org</a>.  
    95. 

  95.     It will be used for technical discussions of security bugs, as well as process discussions about
    96. 

  96.     matters such as disclosure timelines and group membership. 
    97. 

  97.     Members will also have access to all bugs in the Security product in the WebKit bug database.
    98. 

  98. 

  99.     <li><b>Confidentiality:</b> Members of the WebKit Security Group
    100. 

  100.     will be expected to treat WebKit security vulnerability
    101. 

  101.     information shared with the group as confidential until publicly
    102. 

  102.     disclosed:
    103. 

  103. 

  104.     <ul>
    105. 

  105.         <li>
    106. 

  106.         Members should not disclose Security bug information to
    107. 

  107.         non-members unless the member is employed by the vendor
    108. 

  108.         of a WebKit based product, in which case information can be
    109. 

  109.         shared within that organization on a need-to-know basis and
    110. 

  110.         handled as confidential information normally is within that
    111. 

  111.         organization. The one exception to this rule is that members may
    112. 

  112.         share vulnerabilities with vendors of non-WebKit based products
    113. 

  113.         if their product suffers from the same issue and the reporter has
    114. 

  114.         not explicitly requested this not be done. The non-WebKit vendor 
    115. 

  115.         should be asked to respect the issue's embargo date, and to not 
    116. 

  116.         share the information beyond the need-to-know people within their
    117. 

  117.         organization.
    118. 

  118.         <li>
    119. 

  119. 

  120.         Members should not post any information about Security bugs in public forums.
    121. 

  121.     </ul>
    122. 

  122. 

  123.     <li><b>Disclosure:</b> The WebKit Security Group will negotiate an
    124. 

  124.     embargo date for public disclosure for each new Security bug, with a
    125. 

  125.     default minimum time limit of 60 days. An embargo may be lifted
    126. 

  126.     before the agreed-upon date if all vendors planning to ship a fix
    127. 

  127.     have already done so, and if the reporter does not object. The
    128. 

  128.     agreed-upon embargo date will be communicated to the reporter
    129. 

  129.     through the bug
    130. 

  130.     at <a href="https://bugs.webkit.org">https://bugs.webkit.org</a>.
    131. 

  131. 

  132.     <li><b>Collaboration:</b> Members of the WebKit Security Group
    133. 

  133.     are expected to promptly share any WebKit vulnerabilities they become
    134. 

  134.     aware of. The best way to do this is by filing bugs against the
    135. 

  135.     Security product in the WebKit bug database.
    136. 

  136. </ul>
    137. 

  137. 

  138. <h3>Termination of WebKit Security Group Membership</h3>
    139. 

  139. <ul>
    140. 

  140.     <li>Members of the WebKit Security Group may voluntarily end their membership at any time, for any reason.
    141. 

  141.     
    142. 

  142.     <li>Inactive members who are no longer reachable via e-mail at the address 
    143. 

  143.     associated with their group membership will be removed from the WebKit Security Group.
    144. 

  144.         
    145. 

  145.     <li>A member who joined the group as a vendor contact who is no longer associated with that vendor will be
    146. 

  146.     removed from the WebKit Security Group.  The person may be re-nominated as an individual expert or as a vendor contact
    147. 

  147.     for another organization.
    148. 

  148.     
    149. 

  149.     <li>If a member of the WebKit Security Group does not act in
    150. 

  150.     accordance with the letter and spirit of this policy, then their
    151. 

  151.     WebKit Security Group membership can be revoked by a majority vote of the
    152. 

  152.     members, not including the person under consideration for
    153. 

  153.     revocation.  After a member calls for a revocation vote on the mailing list,
    154. 

  154.     voting will be open for 5 business days.
    155. 

  155.     <ul>
    156. 

  156.     <li><b>Emergency suspension:</b> A WebKit Security Group member who blatantly
    157. 

  157.     disregards the WebKit Security Policy may have their membership
    158. 

  158.     temporarily suspended on the request of any two members.  In such
    159. 

  159.     a case, the requesting members should notify the security mailing
    160. 

  160.     list with a description of the offense. At this point, membership
    161. 

  161.     will be temporarily suspended for one week, pending outcome of the
    162. 

  162.     vote for permanent revocation.
    163. 

  163.     </ul>
    164. 

  164. 

  165. </ul>
    166. 

  166. 

  167. <h3>Changes to the Policy</h3>
    168. 

  168. 

  169. <p>The WebKit Security Policy may be changed in the future by rough
    170. 

  170. consensus of the WebKit Security Group. Changes to the policy will be
    171. 

  171. posted publicly.</p>
    172. 

  172. 

  173. <?php
    174. 

  174.     include("../footer.inc");
    175. 

  175. ?>
    176. 

  176.