kytv/I2P_Website
1
0
Fork 0
forked from I2P_Developers/i2p.www
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update the VRP and unhide it. Still a WIP but includes updates on several important points

Browse Source
This commit is contained in:
hankhill19580
2020-06-15 04:41:56 +00:00
parent 0e3757d654
commit f11a91df66
2 changed files with 29 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
i2p2www/pages/global/nav.html
View File

@@ -54,6 +54,7 @@
<ul>
<li><a href="{{ site_url('research') }}"><div class="menuitem"><span>{{ _('Academic research') }}</span></div></a></li>
<li><a href="{{ site_url('research/questions') }}"><div class="menuitem"><span>{{ _('Open research questions') }}</span></div></a></li>
<li><a href="{{ site_url('research/vrp') }}"><div class="menuitem"><span>{{ _('Vulnerability Response Process') }}</span></div></a></li>
</ul>
<li><a href="{{ get_url('papers_list') }}"><div class="menuitem"><span>{{ _('Academic papers and peer review') }}</span></div></a></li>
</li>

51
i2p2www/pages/site/research/vrp.html
View File

@@ -1,36 +1,38 @@
{% extends "global/layout.html" %}
{% block title %}{{ _('Vulnerability Response Process') }}{% endblock %}
{% block lastupdated %}{% trans %}January 2017{% endtrans %}{% endblock %}
{% block lastupdated %}{% trans %}January 2020{% endtrans %}{% endblock %}
{% block content_id %}vrp{% endblock %}
{% block content %}
<p>{% trans %}
This process is subject to change. Please refer to this page for the current VRP.
{%- endtrans %}</p>
<h2>I. {{ _('Point of Contact for Security Issues') }}</h2>
<p>{% trans %}This page was last updated in January 2020.{%- endtrans %}</p>
<p>{% trans %}This process is subject to change. Please refer to this page for the current VRP.{%- endtrans %}</p>
<p>{% trans %}Researchers: while you research/hack, we kindly ask that you refrain from the following: - Performing active exploits or Denial of Service attacks on the
i2p network - Performing social engineering on i2p development team members - Performing any physical or electronic attempts against i2p property and/or data
centers{%- endtrans %}</p>
<p>{% trans %}As i2p is an open-source community, many volunteers and development team members run their own EepSites as well as public (“clearnet”) domains. These
sites/servers are NOT in the scope of the vulnerability assessment / response process, only the underlying code of i2p is.{%- endtrans %}</p>
<h2 id="i.-point-of-contact-for-security-issues">I. {{ _('Point of Contact for Security Issues') }}</h2>
security@geti2p.net - GPG Key fingerprint = EA27 06D6 14F5 28DB 764B F47E CFCD C461 75E6 694A
<h2>II. {{ _('Security Response Team') }}</h2>
<h2 id="ii.-security-response-team">II. {{ _('Security Response Team') }}</h2>
<p>{% trans -%}
Only the following members have access to the security point of contact:
Echelon is the trusted security point-of-contact. He forwards e-mails to team members as appropriate.
{%- endtrans %}</p>
<ol>
<li>zzz</li>
<li>str4d</li>
</ol>
<h2>III. {{ _('Incident Response') }}</h2>
<h2 id="iii.-incident-response">III. {{ _('Incident Response') }}</h2>
<ol>
<li>{% trans -%}
Researcher submits report via one or both of two methods:
{%- endtrans %}
<ol>
<li>{{ _('Email')}}</li>
<li><a href="https://hackerone.com/i2p">HackerOne</a></li>
<li>{{ _('Email(security@geti2p.net')}}</li>
</ol>
</li>
@@ -67,10 +69,6 @@ Response Manager moves discussion to a new or existing ticket on public Trac if
</ol>
</li>
<li>{% trans -%}
If over email, Response Manager opens a HackerOne issue for new submission.
{%- endtrans %}</li>
<li>{% trans %}
Establish severity of vulnerability:
{% endtrans %}
@@ -124,7 +122,7 @@ Response Team applies appropriate patch(es).
{%- endtrans %}
<ol>
<li>{% trans -%}
Response Manager designates a PRIVATE monotone "hotfix branch" to work in.
Response Manager works on a patch LOCALLY, patches are shared by the response team via PGP-encrypted e-mail until such a time as it is safe to expose to the public.
{%- endtrans %}</li>
<li>{% trans -%}
Patches are reviewed with the researcher.
@@ -164,13 +162,16 @@ Response Manager propagates the "hotfix branch" to trunk.
Response Manager includes vulnerability announcement draft in release notes.
{%- endtrans %}</li>
<li>{% trans -%}
Proceed with the Point or Regular Release.
Proceed with the Point or Regular Release. At this time, it is not possible to release an in-network update for only one operating system or
architecture. In order that all affected products can be released as quickly as possible, the person responsible
for that software should be able to perform necessary release processes in a timely manner. Importantly this should include
consideration for package maintainers in Debian, Ubuntu and F-Droid.
{%- endtrans %}</li>
</ol>
</li>
</ol>
<h2>IV. {{ _('Post-release Disclosure Process') }}</h2>
<h2 id="iv.-post-release-disclosure-process">IV. {{ _('Post-release Disclosure Process') }}</h2>
<ol>
<li>{% trans limit=90 -%}
@@ -223,6 +224,11 @@ If applicable, credits to the original reporter.
<li>{% trans -%}
Release finalized vulnerability announcement on website and in news feed.
{%- endtrans %}</li>
<li><ol>
<li>If the vulnerability may be exploited while the network is being upgraded, delay the announcement until the vulnerable routers are upgraded.</li>
<li>After the update is successful, write the announcement for the news feed, send it for translation, and release it.</li>
<li>When translations come in, news operators should pull in the translations and update their feeds.</li>
</ol></li>
<li>{% trans -%}
For HIGH severities, release finalized vulnerability announcement on well-known mailing lists:
{%- endtrans %}
@@ -270,7 +276,7 @@ vulnerability to the public.
</li>
</ol>
<h2>V. {{ _('Incident Analysis') }}</h2>
<h2 id="v.-incident-analysis">V. {{ _('Incident Analysis') }}</h2>
<ol>
<li>{{ _('Isolate codebase') }}
@@ -319,7 +325,7 @@ completion of section V.
{%- endtrans %}</li>
</ol>
<h2>VI. {{ _('Resolutions') }}</h2>
<h2 id="vi.-resolutions">VI. {{ _('Resolutions') }}</h2>
<p>{% trans -%}
Any further questions or resolutions regarding the incident(s) between the
@@ -329,13 +335,12 @@ addressed via the following:
<ol>
<li>Trac</li>
<li>HackerOne</li>
<li>IRC</li>
<li>Email</li>
<li>Twitter</li>
</ol>
<h2>VII. {{ _('Continuous Improvement') }}</h2>
<h2 id="vii.-continuous-improvement">VII. {{ _('Continuous Improvement') }}</h2>
<ol>
<li>{% trans -%}