_content: update security policy

julieqiu · julieqiu · commit 22652b4484a0 · 2021-10-25T18:51:59.000Z
The golang.org/security page is updated according to the new security policy. Fixes golang/go#44918 Change-Id: I66306aa0368ee12f89f68f97a2ae1412d98da628 Reviewed-on: https://go-review.googlesource.com/c/website/+/352029 Trust: Julie Qiu <julie@golang.org> Trust: Katie Hockman <katie@golang.org> Run-TryBot: Julie Qiu <julie@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
diff --git a/_content/security.html b/_content/security.html
@@ -2,180 +2,225 @@
 	"Title": "Go Security Policy"
 }-->
 
-<h2>Implementation</h2>
+<h2>Overview</h2>
 
-<h3>Reporting a Security Bug</h3>
+<p>
+  This document explains the Go Security team's process for handling issues
+  reported and what to expect in return.
+</p>
+
+<h2>Reporting a Security Bug</h2>
+
+<p>
+  All security bugs in the Go distribution should be reported by email to
+  <a href="mailto:security@golang.org">security@golang.org</a>. This mail is
+  delivered to the Go Security team.
+</p>
+
+<p>
+  To ensure your report is not marked as spam,
+  <strong>please include the word "vulnerability"</strong> anywhere in your
+  email. Please use a descriptive subject line for your report email.
+</p>
 
 <p>
-Please report to us any issues you find.
-This document explains how to do that and what to expect in return.
+  Your email will be acknowledged within 7 days, and you'll be kept up to date
+  with the progress until resolution. Your issue will be fixed or made public
+  within 90 days. If you have not received a reply to your email within 7 days,
+  please follow up with the Go security team directly at
+  <a href="mailto:security@golang.org">security@golang.org</a>.
 </p>
 
+<h2>Tracks</h2>
+
 <p>
-All security bugs in the Go distribution should be reported by email to
-<a href="mailto:security@golang.org">security@golang.org</a>.
-This mail is delivered to a small security team.
-Your email will be acknowledged within 24 hours, and you'll receive a more
-detailed response to your email within 72 hours indicating the next steps in
-handling your report.
+  Depending on the nature of your issue, it will be categorized by the Go
+  security team as an issue in the PUBLIC, PRIVATE, or URGENT track. All
+  security issues will be issued CVE numbers.
 </p>
 
+<h3>PUBLIC</h3>
+<p>
+  Issues in the PUBLIC track affect niche configurations, have very limited
+  impact, or are already widely known.
+</p>
+
+<p>
+  PUBLIC track issues are <strong>fixed in public</strong>, and get backported
+  to the next scheduled
+  <a href="https://golang.org/wiki/MinorReleases">minor releases</a>
+  (which occur ~monthly). The release announcement includes details of these
+  issues, but there is no pre-announcement.
+</p>
+
+<p>Examples of past PUBLIC issues include:</p>
+<ul>
+  <li>
+    <a href="https://golang.org/issue/44916">#44916</a>:
+    archive/zip: can panic when calling Reader.Open
+  </li>
+  <li>
+    <a href="https://golang.org/issue/44913">#44913</a>:
+    encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom
+    TokenReader
+  </li>
+  <li>
+    <a href="https://golang.org/issue/43786">#43786</a>:
+    encoding/xml: infinite crypto/elliptic: incorrect operations on the P-224
+    curve
+  </li>
+  <li>
+    <a href="https://golang.org/issue/40928">#40928</a>:
+    net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is
+    not specified
+  </li>
+  <li>
+    <a href="https://golang.org/issue/40618">#40618</a>:
+    encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of
+    bytes from invalid inputs
+  </li>
+  <li>
+    <a href="https://golang.org/issue/36834">#36834</a>:
+    crypto/x509: certificate validation bypass on Windows 10
+  </li>
+</ul>
+
+<h3>PRIVATE</h3>
+
 <p>
-To ensure your report is not marked as spam, please include the word "vulnerability"
-anywhere in your email. Please use a descriptive subject line for your report email.
+  Issues in the PRIVATE track are violations of committed security properties.
 </p>
 
 <p>
-After the initial reply to your report, the security team will endeavor to keep
-you informed of the progress being made towards a fix and full announcement.
-These updates will be sent at least every five days.
-In reality, this is more likely to be every 24-48 hours.
+  PRIVATE track issues are
+  <strong>fixed in the next scheduled
+    <a href="https://golang.org/wiki/MinorReleases">minor releases</a>
+  </strong>,
+  and are kept private until then.
 </p>
 
 <p>
-If you have not received a reply to your email within 48 hours or you have not
-heard from the security team for the past five days please contact the Go
-security team directly:
+  Three to seven days before the release, a pre-announcement is sent to
+  golang-announce, announcing the presence of a security fix in the upcoming
+  releases, and whether the issue affects the standard library, the toolchain,
+  or both (but not disclosing any more details).
 </p>
 
+<p>Some examples of past PRIVATE issues include:</p>
 <ul>
-<li>Primary security coordinator: <a href="mailto:filippo@golang.org">Filippo Valsorda</a>.</li>
-<li>Secondary coordinator: <a href="mailto:agl@golang.org">Adam Langley</a>.</li>
-<li>If you receive no response, mail <a href="mailto:golang-dev@googlegroups.com">golang-dev@googlegroups.com</a> or use the <a href="https://groups.google.com/forum/#!forum/golang-dev">golang-dev web interface</a>.</li>
+  <li>
+    <a href="https://golang.org/issue/42552">#42552</a>:
+    math/big: panic during recursive division of very large numbers
+  </li>
+  <li>
+    <a href="https://golang.org/issue/34902">#34902</a>:
+    net/http: Expect 100-continue panics in httputil.ReverseProxy
+  </li>
+  <li>
+    <a href="https://golang.org/issue/39360">#39360</a>:
+    crypto/x509: Certificate.Verify method seemingly ignoring EKU requirements
+    on Windows
+  </li>
+  <li>
+    <a href="https://golang.org/issue/34960">#34960</a>:
+    crypto/dsa: invalid public key causes panic in dsa.Verify
+  </li>
+  <li>
+    <a href="https://golang.org/issue/34540">#34540</a>:
+    net/http: invalid headers are normalized, allowing request smuggling
+  </li>
+  <li>
+    <a href="https://golang.org/issue/29098">#29098</a>:
+    net/url: URL.Parse Multiple Parsing Issues
+  </li>
 </ul>
 
+<h3>URGENT</h3>
+
 <p>
-Please note that golang-dev is a public discussion forum.
-When escalating on this list, please do not disclose the details of the issue.
-Simply state that you're trying to reach a member of the security team.
+  URGENT track issues are a threat to the Go ecosystem’s integrity, or are being
+  actively exploited in the wild leading to severe damage. There are no recent
+  examples, but they would include remote code execution in net/http, or
+  practical key recovery in crypto/tls.
 </p>
 
-<h3>Flagging Existing Issues as Security-related</h3>
+<p>
+  URGENT track issues are fixed in private, and
+  <strong>trigger an immediate dedicated security release</strong>, possibly
+  with no pre-announcement.
+</p>
+
+<h2>Flagging Existing Issues as Security-related</h2>
 
 <p>
-If you believe that an <a href="https://golang.org/issue">existing issue</a>
-is security-related, we ask that you send an email to
-<a href="mailto:security@golang.org">security@golang.org</a>.
-The email should include the issue ID and a short description of why it should
-be handled according to this security policy.
+  If you believe that an <a href="https://golang.org/issue">existing issue</a>
+  is security-related, we ask that you send an email to
+  <a href="mailto:security@golang.org">security@golang.org</a>. The email should
+  include the issue ID and a short description of why it should be handled
+  according to this security policy.
 </p>
 
-<h3>Disclosure Process</h3>
+<h2>Disclosure Process</h2>
 
 <p>The Go project uses the following disclosure process:</p>
 
 <ol>
-<li>Once the security report is received it is assigned a primary handler.
-This person coordinates the fix and release process.</li>
-<li>The issue is confirmed and a list of affected software is determined.</li>
-<li>Code is audited to find any potential similar problems.</li>
-<li>If it is determined, in consultation with the submitter, that a CVE-ID is
-required, the primary handler obtains one via email to
-<a href="https://oss-security.openwall.org/wiki/mailing-lists/distros">oss-distros</a>.</li>
-<li>Fixes are prepared for the two most recent major releases and the head/master
-revision. These fixes are not yet committed to the public repository.</li>
-<li>A notification is sent to the
-<a href="https://groups.google.com/group/golang-announce">golang-announce</a>
-mailing list to give users time to prepare their systems for the update.</li>
-<li>Three working days following this notification, the fixes are applied to
-the <a href="https://go.googlesource.com/go">public repository</a> and a new
-Go release is issued.</li>
-<li>On the date that the fixes are applied, announcements are sent to
-<a href="https://groups.google.com/group/golang-announce">golang-announce</a>,
-<a href="https://groups.google.com/group/golang-dev">golang-dev</a>, and
-<a href="https://groups.google.com/group/golang-nuts">golang-nuts</a>.
+  <li>
+    Once the security report is received it is assigned a primary handler. This
+    person coordinates the fix and release process.
+  </li>
+  <li>The issue is confirmed and a list of affected software is determined.</li>
+  <li>Code is audited to find any potential similar problems.</li>
+  <li>
+    If it is determined, in consultation with the submitter, that a CVE number is
+    required, the primary handler will obtain one.
+  </li>
+  <li>
+    Fixes are prepared for the two most recent major releases and the
+    head/master revision. Fixes are prepared for the two most recent major
+    releases and merged to head/master.
+  </li>
+  <li>
+    On the date that the fixes are applied, announcements are sent to
+    <a href="https://groups.google.com/group/golang-announce">golang-announce</a>,
+    <a href="https://groups.google.com/group/golang-dev">golang-dev</a>, and
+    <a href="https://groups.google.com/group/golang-nuts">golang-nuts</a>.
+  </li>
 </ol>
 
 <p>
-This process can take some time, especially when coordination is required with
-maintainers of other projects. Every effort will be made to handle the bug in
-as timely a manner as possible, however it's important that we follow the
-process described above to ensure that disclosures are handled consistently.
-</p>
-
-<p>
-For security issues that include the assignment of a CVE-ID,
-the issue is listed publicly under the
-<a href="https://www.cvedetails.com/vulnerability-list/vendor_id-14185/Golang.html">"Golang" product on the CVEDetails website</a>
-as well as the
-<a href="https://web.nvd.nist.gov/view/vuln/search">National Vulnerability Disclosure site</a>.
-</p>
-
-<h3>Receiving Security Updates</h3>
-
-<p>
-The best way to receive security announcements is to subscribe to the
-<a href="https://groups.google.com/forum/#!forum/golang-announce">golang-announce</a>
-mailing list. Any messages pertaining to a security issue will be prefixed
-with <code>[security]</code>.
-</p>
-
-<h3>Comments on This Policy</h3>
-
-<p>
-If you have any suggestions to improve this policy, please send an email to
-<a href="mailto:golang-dev@golang.org">golang-dev@golang.org</a> for discussion.
-</p>
-
-<h3>PGP Key for <a href="mailto:security@golang.org">security@golang.org</a></h3>
-
-<p>
-We accept PGP-encrypted email, but the majority of the security team
-are not regular PGP users so it's somewhat inconvenient. Please only
-use PGP for critical security reports.
-</p>
-
-<pre>
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te
-+fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT
-J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L
-ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75
-8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3
-oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc
-7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF
-X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN
-JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk
-xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE
-0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB
-tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCTgQTAQoA
-OAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBGROHzjvGgTlE7xbTTpG0ZF5
-Wlg4BQJd8rfQAAoJEDpG0ZF5Wlg4198P/2YDcEwEqWBWjriLFXdTGOcVxQ7AC/mX
-Fe576zwgmrbqO00IaHOOqZZYXKd078FZyg2qQKILvfSAQB7EtLwfPEgv3Wca/Jb/
-ma2hNz+AveiWDVuF4yPx8qvFer/6Yzv9+anfpUP//qfo/7L3VSYKwNAcqqNGvBMh
-fLb7oWDSkdRmcu57c4WYv8i5BtxMRXs581r836bG3U0z0WQG8j64RpYp6sipqJnv
-09l3R5SXd7kkS26ntLU4fgTNJ6Eim7YoXsqLtVe4VZHGYz3D0yHnvCBpbJa2WpP2
-QT6TtFizvKtQlC0k1uo88VV8DyRdp2V6BO9cSNecvXZh81H0SjtD9MwdMnpX3shT
-LKu3L6wlJtb/EJVZg6+usJo0VunUdNTiBmy4FJrko7YYOSVHKKBA6dooufGNUSjw
-9Tieqh4jnzpg6+aIrNugZIrABH2G0GD/SvUSfjli0i+D1mqQSsMcLzE1BBcichpS
-htjv6fU8nI5XXmloUn1P2WBwziemsb7YcfBLNVeCxlAmoJn1hnOPjNzmKfVZk95E
-VJNvVB76JCh+S/0bAba5+nBZ1HRn/FAbs9vfUpp1sOFf25jX9bDAZvkqwgyPpNv/
-jONK0zNXRD5AfKdCA1nkMI70NNS5oBxPowp95eKyuw4hCINvfuPq5sLJa3cIMj3M
-MVO91QDs9eXxuQINBFXI1h0BEACXD0f/XJtCzgrdcoDWOggjXqu1r0pLt7Dvr5qB
-ejSN5JHAwRB8i07Fi9+Gajz7J2flNaxNuJ8ZTwvf4QFMxFHLNaFtoY7RaLPDsFNU
-nufklb6d0+txSmn+KVSToBRXFo7/z9H735Ulmmh6gsddiWgUY25fnwYsjLWNIG8u
-wuX8qLkg6se8PUYrpN+06XmPwg8LUtIGvAYk7zTfHvBR1A/+2wo39A9HymcGe2sS
-CtAVIj5DeqsK9UyZecGVi6aN84G3ykoyAH3+LH4dY3ymJA1CInEP5eMQzpfBSZCo
-hHvLkYg0paC6d0Ka1gjNWBj2nYGvpQ+tMmLXYt8q/mzZHo2fEUe/9p3b0Kk9N4sl
-GxKoV+oEv3r0EKmP+KxeZASbgW3OJmJ0BFejXYqIYCc8X2i2Ks0enj7yHA0Hexx/
-twjnfLydmK871zAjsGgKVjpkhpuMNwnGMr7bh6ajPeYnlIelmlAtJv2jwZsst9c6
-r7i7MRfYDfR+Gu2xBv/HQYzi/cRTVo/aaO6SzJhuCV21jri0PfnCoAD2ZWXlTH6D
-UehQG8vDSH6XPCHfvQ0nD/8hO8FBVS0MwH3qt8g/h8vmliXmmZHP6+y4nSJfObTm
-oGAp9Ko7tOj1JbFA91fz1Hi7T9dUCXDQCT1lx6rdb3q+x4RRNHdqhkIwg+LB9wNq
-rrStZQARAQABiQI2BBgBCgAgAhsMFiEEZE4fOO8aBOUTvFtNOkbRkXlaWDgFAl3y
-uFYACgkQOkbRkXlaWDiMgw//YvO2nZxWNSnQxqCEi8RXHV/3qsDDe8LloviFFV/M
-GSiGZBOhLJ0bFm9aKKPoye5mrZXBKvEVPu0h1zn43+lZruhARPiTu2AecQ7fstET
-PyXMZJ4mfLSFIaAumuH9dQEQJA9RRaFK8uzPRgAxVKyuNYS89psz/RvSeRM3B7Li
-m9waLs42+5xtltR5F6HKPhrgS/rrFHKMrNiDNMMG2FYu1TjonA9QnzAxDPixH3A1
-VNEj6tVqVK8wCMpci3YaXZJntX0H3oO6qloL8qIpSMVrIiD4IDBDK13Jn3OJ7veq
-iDn1mbGFYtfu8R+QV2xeDSJ6nEKfV3Mc3PFDbJMdzkOCdvExC8qsuUOqO4J6dRt7
-9NVptL0xZqlBjpF9fq9XCt7ZcQLDqbUF/rUs58yKSqEGrruXTx4cTLtwkTLcqJOw
-/CSgFtE8cvY51uupuEFzfmt8JLNTxsm2X2NlsZYxFJhamVrGFroa55nqgKe3tF7e
-AQBU641SZRYloqGgPK+4PB79vV4RyEDETOpD3PvpN2IafVWDacI4LXW0a4EKnPUj
-7JwRBmZxESda3OixSONv/VcuEOyGAZUppbLM4XYTtslRIqdQJFr7Vkza/VIoUqaY
-MkFIioHf2QndVwDXt3d0b0aAGaLeMRD1MFGtLNigEDD45nPeEpuGzXkUATpVWGiV
-bIs=
-=Nx85
------END PGP PUBLIC KEY BLOCK-----
-</pre>
+  This process can take some time, especially when coordination is required with
+  maintainers of other projects. Every effort will be made to handle the bug in
+  as timely a manner as possible, however it's important that we follow the
+  process described above to ensure that disclosures are handled consistently.
+</p>
+
+<p>
+  For security issues that include the assignment of a CVE number, the issue is
+  listed publicly under the
+  <a href="https://www.cvedetails.com/vulnerability-list/vendor_id-14185/Golang.html">
+    "Golang" product on the CVEDetails website
+  </a>
+  as well as the
+  <a href="https://web.nvd.nist.gov/view/vuln/search">
+    National Vulnerability Disclosure site
+  </a>.
+</p>
+
+<h2>Receiving Security Updates</h2>
+
+<p>
+  The best way to receive security announcements is to subscribe to the
+  <a href="https://groups.google.com/forum/#!forum/golang-announce">
+    golang-announce
+  </a>
+  mailing list. Any messages pertaining to a security issue will be prefixed
+  with <code>[security]</code>.
+</p>
+
+<h2>Comments on This Policy</h2>
+
+<p>
+  If you have any suggestions to improve this policy, please
+  <a href="https://golang.org/issue/new">file an issue</a> for discussion.
+</p>
