To add an advisory to the database, open a Pull Request against this repository containing the new advisory:
- Create a file named
HSEC-0000-0000.md
in theadvisories/hackage/<your-package-name>
subdirectory of the repository (you may need to create it if it doesn't exist) - Copy and paste the TOML advisory template from the README.md file in this repo.
Delete the comments and additional whitespace, and fill it out with the
details of the advisory. Surround the TOML data with
```toml
and```
markers. - Write a human-readable Markdown description in the same file, after the
```
marker and a newline. Use this example advisory as a reference. - Open a Pull Request. After being reviewed your advisory will be assigned
a
HSEC-*
advisory identifier and be published to the database.
Feel free to do either or both of these as you see fit (we recommend you do both):
- Deprecate the affected versions of the package on Hackage.
- Request a CVE for your vulnerability. See for details:
https://cve.mitre.org/cve/request_id.html and https://cveform.mitre.org .
Alternatively, you can create a GitHub Security Advisory (GHSA) and let them request
a CVE for you. In this case, you can add the GHSA ID to the advisory via the
aliases
field.
All published security advisories are released under CC0. By contributing an advisory, you agree to release the entire content of the advisory (including machine-readable metadata, example code, and textual descriptions) under CC0.
This is a database of security vulnerabilities. The following are examples of qualifying vulnerabilities:
- Code Execution (i.e. RCE)
- Denial of service opportunities
- Memory Corruption
- Privilege Escalation (either at OS level or inside of an app/library)
- File Disclosure / Directory Traversal
- Web Security (e.g. XSS, CSRF)
- Format Injection, e.g. shell escaping, SQL injection (and also XSS)
- Cryptography Failure (e.g. confidentiality breakage, integrity breakage, key leakage)
- Covert Channels (e.g. Spectre, Meltdown)
Q: Do I need to be the maintainer of a package to file an advisory?
A: No, anyone can file an advisory against any package. Reports will be verified prior to merging. If a report turns out to be incorrect then it will be corrected or removed from the database.
Q: Can I file an advisory without creating a pull request?
A: Yes, instead of creating a full advisory yourself you can also open an issue on the security-advisories repo or email information about the vulnerability to
Q: Does this project have a PGP key or other means of handling embargoed vulnerabilities?
A: High-impact vulnerabilities can be reported privately to [email protected], but we do not use PGP. Alternatively, Haskell vulnerabilities can be reported via the CERT/CC VINCE system. Use "Haskell Programming Language" as the vendor name.