curl / Development / Security

curl security for developers

This document is intended to provide guidance to curl developers on how security vulnerabilities should be handled.

Publishing Information

All known and public curl or libcurl related vulnerabilities are listed on the curl web site security page.

Security vulnerabilities should not be entered in the project's public bug tracker unless the necessary configuration is in place to limit access to the issue to only the reporter and the project's security team.

Vulnerability Handling

The typical process for handling a new security vulnerability is as follows.

No information should be made public about a vulnerability until it is formally announced at the end of this process. That means, for example that a bug tracker entry must NOT be created to track the issue since that will make the issue public and it should not be discussed on any of the project's public mailing lists. Also messages associated with any commits should not make any reference to the security nature of the commit if done prior to the public announcement.

Pre-notification

If you think you are or should be eligible for a pre-notification about upcoming security announcements for curl, we urge OS distros and similar vendors to primarily join the distros@openwall list as that is one of the purposes of that list - and not just for curl of course.

If you are not a distro or otherwise not suitable for distros@openwall and yet want pre-notifications from us, contact the curl security team with a detailed and clear explanation why this is the case.

curl-security (at haxx dot se)

Who is on this list? There are a couple of criteria you must meet, and then we might ask you to join the list or you can ask to join it. It really isn't very formal. We basically only require that you have a long-term presence in the curl project and you have shown an understanding for the project and its way of working. You must've been around for a good while and you should have no plans in vanishing in the near future.

We do not make the list of participants public mostly because it tends to vary somewhat over time and a list somewhere will only risk getting outdated.