Add documentation for reporting vulnerabilities

[postmodern]

Document the steps to report a vulnerability.

1. OSVDB: email moderators@osvdb.org and/or message @osvdb on GitHub or Twitter.
2. Request a CVE from oss-sec mailing list or reserve a CVE from MITRE.
3. Once OSVDB or CVE have been obtained, send advisory to rubysec-announce@googlegroups.com.

+1. this would be very useful. i don't know anything about how this works, and I expect others in ruby don't as well.

[jordimassaguerpla]

+1

[bf4]

Also how maintainers should notify users? Recommend all to sign up to a rubysec list on librelist? Subscribe an rss? Follow [ANN SEC] on ruby-talk? irc channel rubysec on freenode? Twitter?

Would be great to subscribe to gems you use for notifications.. but that's a more complicated feature. However, it's sort of already implemented in the rubygems.org site where you can subscribe to gems. Now just need to notify of vulns.

cc @drbrain

[bf4]

I can update the rubygems security guide once this is up to date

[jordimassaguerpla]

Maybe gems-status-web could be of help here. see:

https://github.com/jordimassaguerpla/gems-status-web/blob/master/README.md

You can get notifications on your gems (based on a Gemfile file) and the software gets alerts from different sources: mailing lists and commits on upstream.

[dwradcliffe]

For the record, there are several hosted tools that can help keep users updated too. (Gemnasium and gemcanary)

[jordimassaguerpla]

also bundler-audit may be of your interest

https://github.com/postmodern/bundler-audit

[postmodern]

@bf4 for general RubyGems security announcements, I believe rubysec-announce@googlegroups.com is the right place.

[phillmv]

@postmodern how does one accomplish:

Request a CVE from oss-sec mailing list or reserve a CVE from MITRE

Is there a template people can use? Ditto re: osvdb email.

[postmodern]

For requesting a CVE from MITRE: http://cve.mitre.org/cve/request_id.html

Or publicly on oss-security: https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

[reedloden]

There's also http://guides.rubygems.org/security/#reporting-security-vulnerabilities as well, though it's a bit outdated (I'm working on fixing).