|
|
# Standard
|
|
|
|
|
|
Discovered QUIQQER Vulnerabilities and Exposures (QVE) should be named after the following standard:
|
|
|
|
|
|
QVE-<Project-ID>-<Year of discovery>-<Vulnerability ID (incremented)>
|
... | ... | @@ -9,13 +11,24 @@ Discovered QUIQQER Vulnerabilities and Exposures (QVE) should be named after the |
|
|
Example: `QVE-12-2019-3`
|
|
|
This describes the **third** security vulnerability in the quiqqer/quiqqer project (ID **12**) discovered in the year **2019**.
|
|
|
|
|
|
-------------------
|
|
|
# Creating an issue
|
|
|
|
|
|
When creating an issue for this vulnerability one should:
|
|
|
- choose a short and meaningful title describing what the vulnerability is about
|
|
|
Examples:
|
|
|
`.htaccess files can be uploaded`
|
|
|
`Session cookie's SameSite attribute isn't set`
|
|
|
- add the QVE-ID to the issue's title.
|
|
|
Example: `Everyone can revoke CRON-service registration (QVE-71-2019-1)`
|
|
|
- describe what the vulnerability does
|
|
|
- if possible describe how to exploit the vulnerability
|
|
|
- if possible reference the code that causes the vulnerability
|
|
|
- tag the issue with the `QVE`-QUIQQER-group-label
|
|
|
- tag the issue with the `Security`-QUIQQER-group-label
|
|
|
- mark the issue as confidential if it's a severe vulnerability
|
|
|
- mark the issue as public when the vulnerability is fixed
|
|
|
- assign the issue to the last person that actively committed to the project |
|
|
\ No newline at end of file |
|
|
- assign the issue to the last person that actively committed to the project or to himself, if one knows how to properly fix the vulnerability
|
|
|
|
|
|
# Example Issue
|
|
|
|
|
|
https://dev.quiqqer.com/quiqqer/quiqqer/issues/840 |
|
|
\ No newline at end of file |