search

418sec / huntr

Public Roadmap | huntr.dev
https://huntr.dev
265 stars 90 forks source link

Add a "Security Advisory" field to bugs likely to receive a CVE #2155

Closed geeknik closed 2 years ago

geeknik commented 2 years ago

Hi, I think it would make proper sense to add a "Security Advisory" field to bug reports likely to receive a CVE. This field would be editable by the researcher and the maintainer and allow for the discussion and formatting of a proper security advisory. The value in a CVE being written which only says "xxx is vulnerable to yyy" is low, and I feel that adding the ability for us to write up a simple root cause analysis can go a long way. 1024 characters or less, we don't need a novel, if it's that big of a deal, include a link to a proper write-up. Comments separate from the bug report and hidden from public view (?), discussions about the root cause aren't necessarily that interesting to outside parties, plus if there is a proper write-up, that will be way better to read. Once the "Publish" button is clicked by the maintainer, who in the end is the absolute authority over their own code, the advisory gets posted, the report goes public, everyone gets paid and we move on to the next report. Thoughts?

JamieSlome commented 2 years ago

@psmoros - might come in line with the work we are doing at the moment on CVE automation?

JamieSlome commented 2 years ago

@adam-nygate - would be good to get your thoughts here as well, as we could include in the scope of our new CVE release?

adam-nygate commented 2 years ago

Hey @geeknik, yep, we plan to do something very similar to this, where the Summary field provided will by default be the text included in a potential advisory, with this information able to be overridden by the maintainer, as well as things like the CVSS and other meta-information (versions afflicted etc)

geeknik commented 2 years ago

Sounds great, I look forward to seeing the release. Thanks for listening!

geeknik commented 2 years ago

If I may leave another suggestion, maybe a link to some educational material next to the Advisory field for those folks who have never had to write an advisory before? For instance: https://cveproject.github.io/docs/content/key-details-phrasing.pdf

psmoros commented 2 years ago

hey @geeknik! Thanks for the suggestion! Does this #2161 cover it?

psmoros commented 2 years ago

hi again @geeknik I suppose your +1 on #2161 means it covers your suggestion so I will go ahead and close this for now. If I misinterpreted your reaction feel free to reopen this <3