SECURITY.md

[Michael Richardson <mcr () sandelman ca>]

Hi, I've proposed two PRs (libpcap/tcpdump) which adds a SECURITY.md file to
both projects.  They are:
* https://github.com/the-tcpdump-group/tcpdump/pull/1403
* https://github.com/the-tcpdump-group/libpcap/pull/1613

This is based upon some discussion at the GVIP-project.org's Summit#01.
I attach the SECURITY.md for discussion here.

# SECURITY reporting for TCPDUMP.

## Ethical Reporting Guidelines

If you have not read the The Menlo Report: Ethical Principles Guiding Information and
Communication Technology Research, August 2012, then are you really a security researcher?
* https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-20120803_1.pdf
* (or 
https://web.archive.org/web/20251123232841/https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-20120803_1.pdf)

If you are doing research, and you are using The Tcpdump Project as a target, then you MUST obtain our explicit consent 
before involving us in your research.  We do not consent by default.  The time of our maintainers is extremely valuable.

## Use of LLMs ("AI")

We do not accept reports generated by LLMs.
We do not consent to your using our project to help train your LLM to do reports.

## Reporting

Send an e-mail to security () tcpdump org.
This is a closed list, and which you will receive communication from the project members.  If you have a spam filter 
that requires any action on our behalf to confirm emails, then we will ignore you.

## Proof of Concept

We prioritize repors that contain a workable proof of concept.
Ones without proof of concept may be closed, unread.

A proper proof of concept contains a package capture (usually pcap format) that exploits the vulnerability.  If the 
issue can not be exploited remotely, then is it really an exploit?

Reports that only affect versions of tcpdump that are installed with setuid or setgid privileges should be clearly 
marked as such.  They may be local root exploits.


## Patches to fix bugs

Reports that contain patches that fix the reporting bug (which includes a PoC) are the best.  They are ideally 
integrated with the tests in the "tests/" subdirectory.

Please add the new test case as one commit, such that we can see the failure (the "red" signal).  Then make a second 
commit that contains the fix, such that all tests now succeed.

## CVE numbers.

We do not assign CVEs to all reports, only ones that are actually exploitable
in real world code, in versions that are released.

Otherwise, your code fixes, if used verbatim, will be credited in git authorship.

_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org
To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s