-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsecurity.html
105 lines (103 loc) · 4.6 KB
/
security.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="generator" content="AsciiDoc 8.6.9">
<title>Security Researchers and Vulnerability Reports</title>
<link rel="stylesheet" href="./asciidoc.css" type="text/css">
<script type="text/javascript" src="./asciidoc.js"></script>
<script type="text/javascript">
/*<![CDATA[*/
asciidoc.install();
/*]]>*/
</script>
</head>
<body class="article">
<div id="header">
<h1>Security Researchers and Vulnerability Reports</h1>
</div>
<div id="content">
<div class="sect1">
<h2 id="_invitation_to_responsible_security_researchers">Invitation to Responsible Security Researchers</h2>
<div class="sectionbody">
<div class="paragraph"><p>We specifically invite and welcome the scrutiny and participation of
responsible security researchers. Please, inspect the code, abuse the
APIs, fuzz the sockets, and attack the network traffic.</p></div>
<div class="paragraph"><p>If you are a security research organization, we invite you to contact
us even before you have anything to report, so we can set up a working
relationship, and exchange keys.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_reporting_vulnerabilities">Reporting Vulnerabilities</h2>
<div class="sectionbody">
<div class="paragraph"><p>Please report discovered vulnerabiltites to mailto:security@ntpsec.org.</p></div>
<div class="paragraph"><p>This email alias forwards to a very small cadre of the internal NTPsec
team.</p></div>
<div class="paragraph"><p>You may GPG encrypt your report. The GPG key can be found on the well
known keyservers, and has the following id and fingerprint:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>pub 4096R/CC282DBE 2015-09-29 [expires: 2018-09-13]
Key fingerprint = B09A 8CAB E180 EC66 4CC5 11D8 2A7C 3E36 CC28 2DBE
uid NTPsec Security Reporting <security@ntpsec.org></pre>
</div></div>
</div>
</div>
<div class="sect1">
<h2 id="_our_responsiveness_goals">Our Responsiveness Goals</h2>
<div class="sectionbody">
<div class="paragraph"><p>Our goal is to ack receipt within 24 hours, verify each potential
vulnerability within 3 days, and if the vulnerability is a significant
network risk, such as remote execution, denial of service, network
amplification, or corruption of time reporting, develop a fix within 7
days.</p></div>
<div class="paragraph"><p>Our experience so far is that we are much faster than that.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_honoring_reporter_responsible_disclosure_policies">Honoring Reporter Responsible Disclosure Policies</h2>
<div class="sectionbody">
<div class="paragraph"><p>We honor responsible disclosure policies and embargos requested by
responsible security researchers and security research organizations.</p></div>
<div class="paragraph"><p>Vulnerabilities properly reported to us are tracked in a controlled
access issue tracker. Development of fixes is done in private Git
repos.</p></div>
<div class="paragraph"><p>When the reasonable embargo period expires, we will promptly merge the
fixes to our public repos, and will cut a new release.</p></div>
<div class="paragraph"><p>If a vulnerability becomes publically known before the embargo
expires, we will notify the reporter, and then will promptly merge the
fixes to our public repos, and will cut a new release.</p></div>
<div class="paragraph"><p>If we receive a vulnerability report that is a duplicate, we will put
the reporters in contact with each other, and then will honor the
shortest embargo.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_our_responsible_disclosure_policies">Our Responsible Disclosure Policies</h2>
<div class="sectionbody">
<div class="paragraph"><p>As NTPsec is currently in developer pre-release and is not yet
deployed in production, we currently have no responsible disclosure or
embargo policies of our own. As we find issues and vulnerabilities
ourselves and by ordinary contributors, we will verify and fix on our
existing development and release cadence, in our public issue tracker
and on our public Git repositories.</p></div>
<div class="paragraph"><p>Once NTPsec is in production use, we will work towards an
industry standard best practices Responsible Disclosure and Embargo
Policy.</p></div>
<div class="imageblock" style="text-align:center;">
<div class="content">
<img src="clocktower64.png" alt="clocktower64.png">
</div>
</div>
</div>
</div>
</div>
<div id="footnotes"><hr></div>
<div id="footer">
<div id="footer-text">
Last updated 2015-11-14 05:18:53 PST
</div>
</div>
</body>
</html>