[gnutls-devel] GnuTLS | SECURITY.md: update with current practices (!2109)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Mon Jun 1 14:01:40 CEST 2026
Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/2109 was reviewed by Alexander Sosedkin
--
Alexander Sosedkin started a new discussion on SECURITY.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/2109#note_3405586660
> +our [issue tracker]. In case you can't use the GitLab web interface,
> +you can still submit issues by sending an email to us, but only as a
> +last resort; such reports requires us a special handling.
s/requires us a special handling/require special handling on our side/
--
Alexander Sosedkin started a new discussion on SECURITY.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/2109#note_3405586709
> -branches which are affected. The commit message must refer to the bug
> -report addressed (e.g., our issue tracker or some external issue tracker).
> +* They are compiled with hardening [options][hardening-options], such
s/are/should be/ for consistency with the follow-up bullet points
--
Alexander Sosedkin started a new discussion on SECURITY.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/2109#note_3405586723
> +are considered insecure at certain point of time, out of scope. We do
> +our best to tighten it from time to time, without sacrificing backward
> +compatibility.
I'm not entirely sure what this means. Is it "We do our best to tighten it from time to time, though backwards compatibility constraints limit how aggressively we can do that"?
--
Alexander Sosedkin started a new discussion on SECURITY.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/2109#note_3405586739
> +## Severity ratings
> +
> +Our severity ratings differ from [CVSS], as CVSS scores are often
missing link
--
Alexander Sosedkin started a new discussion on SECURITY.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/2109#note_3405586754
> + * The difficulty is typically due to factors such as demanding
> + timing constraints, specific platform prerequisites, or the
> + involvement of rare options or protocols
would memory pressure error paths be a good example here?
--
Alexander Sosedkin started a new discussion on SECURITY.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/2109#note_3405586763
> + to exploit
> + * Exploitation can lead to system compromise, often resulting in
> + arbitrary code execution
if that's meant to rule out reports with availability-only impact, that might benefit from less ambiguous wording
--
Alexander Sosedkin started a new discussion on SECURITY.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/2109#note_3405586777
> -# Which issues are security issues
> +The report should be self-contained and actionable without requiring
> +us to follow any links or perform any extra actions.
do we want a "reproducers would be welcome" line to stress that we both 1. appreciate having them over not having them though and 2. are interested in reports that don't come with reproducers anyway?
--
Alexander Sosedkin started a new discussion on SECURITY.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/2109#note_3405586789
> +## Disclosure
> +
> +We do not maintain our own disclosure window by ourselves. When to
either "by ourselves" or "our own" feels redundant.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2109
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/5-1umafrthn1nq5zrlbrzb0thy1-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260601/20444a20/attachment-0001.html>
More information about the Gnutls-devel
mailing list