curl / Development / Security Process

curl security process

This document describes how security vulnerabilities should be handled in the curl project.

Publishing Information

All known and public curl or libcurl related vulnerabilities are listed on the curl web site security page.

Security vulnerabilities should not be entered in the project's public bug tracker unless the necessary configuration is in place to limit access to the issue to only the reporter and the project's security team.

Vulnerability Handling

The typical process for handling a new security vulnerability is as follows.

No information should be made public about a vulnerability until it is formally announced at the end of this process. That means, for example that a bug tracker entry must NOT be created to track the issue since that will make the issue public and it should not be discussed on any of the project's public mailing lists. Also messages associated with any commits should not make any reference to the security nature of the commit if done prior to the public announcement.


If you think you are or should be eligible for a pre-notification about upcoming security announcements for curl, we urge OS distros and similar vendors to primarily join the distros@openwall list as that is one of the purposes of that list - and not just for curl of course.

If you are not a distro or otherwise not suitable for distros@openwall and yet want pre-notifications from us, contact the curl security team with a detailed and clear explanation why this is the case.

curl-security (at haxx dot se)

Who is on this list? There are a couple of criteria you must meet, and then we might ask you to join the list or you can ask to join it. It really isn't very formal. We basically only require that you have a long-term presence in the curl project and you have shown an understanding for the project and its way of working. You must've been around for a good while and you should have no plans in vanishing in the near future.

We do not make the list of participants public mostly because it tends to vary somewhat over time and a list somewhere will only risk getting outdated.

Publishing Security Advisories

  1. Write up the security advisory, using markdown syntax. Use the same subtitles as last time to maintain consistency.

  2. Name the advisory file (and ultimately the URL to be used when the flaw gets published), using a randomized component so that third parties that are involved in the process for each individual flaw will not be given insights about possible other flaws worked on in parallel. has been used before.

  3. Add a line on the top of the array in `curl-www/docs/'.

  4. Put the new advisory markdown file in the curl-www/docs/ directory. Add it to the git repo. Update the Makefile in the same directory to build the HTML representation.

  5. Run make in your local web checkout and verify that things look fine.

  6. On security advisory release day, push the changes on the curl-www repository's remote master branch.