Security Disclosure Process

How we handle security issues.

1. What do we NOT consider a security vulnerability?

One of the most commonly reported classes of vulnerability is third-party web applications passing unfiltered input from web users to the hg command line interface. This is a security vulnerability in the web application, not in Mercurial.

Mercurial's command line uses a security model appropriate for a command line: a user who can run a Mercurial command is allowed to do anything that the operating system will let that user do, including running other commands. See SecuringRepositories for guidance on how to secure a Mercurial repository published via the Internet.

Users should bear in mind that the single largest threat vector for a source control system is the code checked into a repository itself. If you compile or run code from untrusted sources, no exploit of Mercurial itself is necessary.

2. Reporting vulnerabilities (for researchers)

3. Summarize and allocate a CVE (for maintainers)

4. Early notification process (for maintainters)

5. Release process

SecurityDisclosureProcess (last edited 2017-07-27 19:01:30 by AugieFackler)