Please report security issues to GNOME Security

Hi, since November 2020, we have been tracking security issues reported to the GNOME security team here. This was a good start, but most issues are reported directly to project maintainers, and are therefore not known to the security team.

I want to try to more comprehensively track security vulnerabilities found in GNOME. So starting now, please report security issues for inclusion on the tracking page by either

The 1. Security label is also used for tracking issues that are not vulnerabilities, so I’m not sure whether it will be an effective means of reporting issues or not, but it’s less work for maintainers that filing an issue report, so let’s give it a shot. Edit: explicit is better than implicit. Let’s actually report issues to be certain they don’t get lost.

Thanks for your cooperation!

3 Likes

We should add this to the handbook’s issue reporting guidelines.

4 Likes

There are a few aspects to this that I am unsure about:

  • My understanding is that only those with commit access can assign labels in the GNOME group, so the security label option isn’t universally available?
  • This post recommends creating an issue, but the Security Team README recommends to use the web form. This is confusing - which is better?
  • It’s unclear whether you should also report security issues against the affected modules.

The label should be applied by the project maintainer, not by the person reporting the issue.

The security form is available for people without a clear knowledge of the projects in GitLab, or for people that do not have/cannot create a GitLab account. Using the form is the simplest way for the security team to track issues because they are the ones getting looped into the discussion from the start.

This recommendation is for issues reported directly on a project, as a way for the security team to be involved and track issues for disclosure and for notifying downstreams.

Users should report security issues either on the project’s issue tracker, or using the form on security.gnome.org.

In the former case, the maintainer of the project should either file a tracker issue on the Security Team tracker, or label the issue on their own issue tracker.

In any case, this discussion involves maintainers only.

1 Like

Thanks @ebassi . When I read the post I didn’t realise that it was specifically targeted at maintainers.

@mcatanzaro I’ve drafted something for this for the handbook. Updating the security team README with instructions for maintainers might also be good.

I’m thinking that adding the security label might not be explicit enough. It’s too easy to miss. Let’s request that maintainers open issue reports in the security repo.

I will propose a merge request for the handbook soon. And I will also update the security team README as well.