Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
follow-up to the major incident documentation
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 18 Sep 2025 11:03:57 +0200 (CEST)
Hello,
Frank brought a relevant question on IRC as a follow-up to the recent addition
we did to the vulnerability disclosure document: how to act under a "major
incidient":
https://curl.se/dev/vuln-disclosure.html#curl-major-incident-response
When such an incident happens in a remote future. How can external parties
tell who is legitimate spokes person for the project and the curl security
team?
The document suggests all communication to go through the security_at_ email
address, so a reply to an email sent there should of course indicate that the
person replying is part of the security team, but can we improve this?
(Especially if the incident involves bringing down curl.se infrastructure.)
I realize we can have an elaborate setup with cross-signed PGP keys, but I
fear the complexity of that might risk that we realize by the time we want to
use it that it doesn't actually work...
Right now, we don't even publish the official list of curl security team
member names. Even though they can be figured out with high accuracy if you
just read enough disclosed hackerone reports.
How do other organizations handle this?
Date: Thu, 18 Sep 2025 11:03:57 +0200 (CEST)
Hello,
Frank brought a relevant question on IRC as a follow-up to the recent addition
we did to the vulnerability disclosure document: how to act under a "major
incidient":
https://curl.se/dev/vuln-disclosure.html#curl-major-incident-response
When such an incident happens in a remote future. How can external parties
tell who is legitimate spokes person for the project and the curl security
team?
The document suggests all communication to go through the security_at_ email
address, so a reply to an email sent there should of course indicate that the
person replying is part of the security team, but can we improve this?
(Especially if the incident involves bringing down curl.se infrastructure.)
I realize we can have an elaborate setup with cross-signed PGP keys, but I
fear the complexity of that might risk that we realize by the time we want to
use it that it doesn't actually work...
Right now, we don't even publish the official list of curl security team
member names. Even though they can be figured out with high accuracy if you
just read enough disclosed hackerone reports.
How do other organizations handle this?
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-09-18