« GitHub Disclosure

Checklist

Handling security vulnerabilities in a timely and responsible manner is crucial for maintaining the integrity and security of your project. Use the following checklist to ensure that you address vulnerabilities effectively:

  1. Publish Fix:
    • Develop and implement a fix for the vulnerability in your project’s codebase.
    • Ensure that the fix addresses the root cause of the vulnerability and does not introduce new issues or regressions.
  2. Attribute Reporter:
    • Acknowledge and attribute the reporter who identified and reported the vulnerability. Recognizing the efforts of security researchers encourages responsible disclosure and fosters a collaborative security culture.
  3. Disclose & Request CVE:
    • Document the vulnerability, including its impact, affected versions, and mitigations, in a security advisory on GitHub or your project’s website.
    • Request a Common Vulnerabilities and Exposures (CVE) identifier for the vulnerability through GitHub’s security advisory interface or other appropriate channels.
    • Provide clear and comprehensive information to users and stakeholders to help them understand the nature and severity of the vulnerability.
    • Check that the disclosure is visible in the GitHub Advisory database. If it is not, search for your CVE and make sure that the affected package & versions are properly declared.
  4. Retire Hex Package:
    • If the vulnerability affects a package published on Hex.pm, consider retiring the package to prevent further installations.
    • Update the retirement status of the affected package on Hex to notify users of the vulnerability and encourage them to transition to safer alternatives.
  5. Communicate Fixes and Mitigations:
    • Publish the fix and mitigations, along with clear instructions for users to update their installations or implement workarounds.
    • Notify users of the availability of the fix through release notes, blog posts, social media, or other communication channels.
    • Provide guidance on best practices for securing their systems and mitigating the impact of the vulnerability until they can apply the fix.
  6. Monitor and Follow Up:
    • Monitor the effectiveness of the fix and any related mitigations to ensure that they adequately address the vulnerability.
    • Follow up with users and stakeholders to verify that they have applied the fix and are protected against the vulnerability.
    • Stay vigilant for any signs of exploitation or recurrence of the vulnerability and be prepared to take further action if necessary.

By following this checklist, you can ensure that vulnerabilities in your project are addressed promptly and responsibly, minimizing the risk to your users and maintaining trust in your project’s security practices.

Next: Resources »