Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: follow-up to the major incident documentation
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Demi Marie Obenour <demiobenour_at_gmail.com>
Date: Thu, 18 Sep 2025 13:55:32 -0400
On 9/18/25 05:03, Daniel Stenberg via curl-library wrote:
> Hello,
>
> Frank brought a relevant question on IRC as a follow-up to the recent addition
> we did to the vulnerability disclosure document: how to act under a "major
> incidient":
>
> https://curl.se/dev/vuln-disclosure.html#curl-major-incident-response
>
> When such an incident happens in a remote future. How can external parties
> tell who is legitimate spokes person for the project and the curl security
> team?
>
> The document suggests all communication to go through the security_at_ email
> address, so a reply to an email sent there should of course indicate that the
> person replying is part of the security team, but can we improve this?
> (Especially if the incident involves bringing down curl.se infrastructure.)
>
> I realize we can have an elaborate setup with cross-signed PGP keys, but I
> fear the complexity of that might risk that we realize by the time we want to
> use it that it doesn't actually work...
>
> Right now, we don't even publish the official list of curl security team
> member names. Even though they can be figured out with high accuracy if you
> just read enough disclosed hackerone reports.
>
> How do other organizations handle this?
The best approach I know of is the Qubes Security Pack:
https://github.com/QubesOS/qubes-secpack. It's also
adopted by Dasharo, and the Qubes Security Bulletin
format is used as the bases for Ledger's bulletins.
Disclaimer: I am a user of Qubes OS, and also a former
paid developer.
Received on 2025-09-18
Date: Thu, 18 Sep 2025 13:55:32 -0400
On 9/18/25 05:03, Daniel Stenberg via curl-library wrote:
> Hello,
>
> Frank brought a relevant question on IRC as a follow-up to the recent addition
> we did to the vulnerability disclosure document: how to act under a "major
> incidient":
>
> https://curl.se/dev/vuln-disclosure.html#curl-major-incident-response
>
> When such an incident happens in a remote future. How can external parties
> tell who is legitimate spokes person for the project and the curl security
> team?
>
> The document suggests all communication to go through the security_at_ email
> address, so a reply to an email sent there should of course indicate that the
> person replying is part of the security team, but can we improve this?
> (Especially if the incident involves bringing down curl.se infrastructure.)
>
> I realize we can have an elaborate setup with cross-signed PGP keys, but I
> fear the complexity of that might risk that we realize by the time we want to
> use it that it doesn't actually work...
>
> Right now, we don't even publish the official list of curl security team
> member names. Even though they can be figured out with high accuracy if you
> just read enough disclosed hackerone reports.
>
> How do other organizations handle this?
The best approach I know of is the Qubes Security Pack:
https://github.com/QubesOS/qubes-secpack. It's also
adopted by Dasharo, and the Qubes Security Bulletin
format is used as the bases for Ledger's bulletins.
Disclaimer: I am a user of Qubes OS, and also a former
paid developer.
-- Sincerely, Demi Marie Obenour (she/her/hers)
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
- application/pgp-keys attachment: OpenPGP public key
- application/pgp-signature attachment: OpenPGP digital signature