c-ares security

This document is intended to provide guidance on how security vulnerabilities should be handled in the c-ares project.

Publishing Information

All known and public c-ares vulnerabilities will be listed on the c-ares web site.

Security vulnerabilities should not be entered in the project's public bug tracker unless the necessary configuration is in place to limit access to the issue to only the reporter and the project's security team.

Vulnerability Handling

The typical process for handling a new security vulnerability is as follows.

No information should be made public about a vulnerability until it is formally announced at the end of this process. That means, for example that a bug tracker entry must NOT be created to track the issue since that will make the issue public and it should not be discussed on the project's public mailing list. Also messages associated with any commits should not make any reference to the security nature of the commit if done prior to the public announcement.

C-ARES-SECURITY (at haxx dot se)

Who is on this list? There are a couple of criteria you must meet, and then we might ask you to join the list or you can ask to join it. It really isn't very formal. We basically only require that you have a long-term presence in the c-ares project and you have shown an understanding for the project and its way of working. You must've been around for a good while and you should have no plans in vanishing in the near future.

We do not make the list of partipants public mostly because it tends to vary somewhat over time and a list somewhere will only risk getting outdated.