From suspicion to published curl CVE
14 hours ago
- #vulnerability
- #opensource
- #security
- Security reports for curl start with submissions on HackerOne, kept private during assessment.
- The curl security team consists of seven experienced maintainers who assess reports promptly.
- Most reports are dismissed as non-security issues, with valid ones classified by severity (low, medium, high, critical).
- Fixes for low/medium severity issues are submitted as public pull requests without mentioning security.
- High/critical severity fixes are merged 48 hours before release to limit exposure.
- Detailed security advisories are written, including affected versions, fixes, and credits.
- curl manages its own CVE IDs as a CVE Numbering Authority (CNA).
- Pre-notification is sent to distros@openwall a week before release for OS preparation.
- On release day, CVEs are published, reports are disclosed, and bounties are claimed via Internet Bug Bounty.
- The current curl security team includes Max Dymond, Dan Fandrich, Daniel Gustafsson, James Fuller, Viktor Szakats, Stefan Eissing, and Daniel Stenberg.