wiki:Security

Version 7 (modified by exarkun, 23 months ago) (diff)

Alert readers that there is currently no working security contact address

We appreciate your concern

We take security very seriously. Your input and feedback on our security is always appreciated.

Reporting Security Issues

Send urgent or sensitive reports directly to ~security at twistedmatrix dot com~ (this address is temporarily out of service; we apologize for the inconvenience, please check back soon for updates). Use our public key (below) to keep your message safe and please provide us with a secure way to respond. We'll get back to you as soon as we can; please bear in mind that Twisted is an all volunteer project and there may be some delay before we can respond. But please feel free to follow up if you think an unreasonable amount of time has elapsed without a response!

Security Procedure for Developers

The goal of the normal Twisted development procedure is to make all steps transparent and record all information at all times in a public location - either the issue tracker or a branch.

The goal of the security variation of the Twisted development procedure is to keep track of progress resolving security issues without divulging information which might be useful to attackers before a fix for the issue is available to Twisted users.

To wit:

  1. File a ticket which does not describe the issue and simply says 'security issue, description pending' and has the 'security' keyword.
  2. When the ticket goes into review, don't attach a patch or SVN branch, but put the code into a bzr branch in your home directory on svn.twistedmatrix.com. Give the branch a name like 'security-issue-NNNN' for ticket NNNN, to avoid exposing more details in the branch name. In lieu of a ticket description, the branch should of course contain a NEWS file that explains the issue and the resolution clearly.
  3. Mark the ticket for review as usual. Point to the location of the branch (which only committers will be able to read).
  4. Review comments will be relayed outside of the issue tracker, via email. Remove the review keyword as usual, but only comment that feedback has been sent to the developer.
  5. When the branch is reviewed and accepted, generate a diff from the bzr branch and apply it to svn trunk; update the tracker issue to describe the security issue.

Aside from hiding the details of the issue while development is ongoing, all of the normal policies apply; security fixes require unit tests, etc. See ReviewProcess for further details.

Our PGP key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.0.10
mQGiBEPwigERBADuPumtZaQAW8Pek29FZMV2RyjdKXz6I7CKI53eg7Srn7zGd3EdsjVrUWtM 8SBX/O2q6XI7LN9p2IuANYfxdovx0tmOARkIxbAGIFQOJKx2Vs6PzaILnMJFN3rffbKDOuR8 7zLPri39cWLxRsTAcTKvxQ+MfnhJVf9/kAmUbrJ/awCgjSh1PUbqivZasxUVzCvB7tEhqysE AOQYC4tLszu3aJuSmquSy9PniAB7k/ZueZcm3EgDonVvvqY5TZ971JPfQz8ztc5QRuZyI+IU Vrtc53PjQvGCG4dkv9Iv0aGF7LuauprdUb+qH4T7Ron1Xk0S1He4B12mt05PBKSNoREeLiBX 463jpYRhTPgWXvsn3C+7fSlqkIeZA/9kB4/yl4VxqFsdPJLtog5ogsfE6/DGF4ztf/vZ3Wcz NqJizdaPM2Oq0vvecazUiADFOE1zxEg5jP7bbgwp+VDdAdXRSbV89ZefQXKKnJ/S8ZLnZuUR CfL4Q6xjpozh55e7wmmewVi68F/2cl1dNOiX7RUatPr9Gv8QoERnI9DFp7QoQ2hyaXN0b3Bo ZXIgQXJtc3Ryb25nIDxyYWRpeEB1YnVudHUuY29tPohgBBMRAgAgBQJI5WAaAhsjBgsJCAcD AgQVAggDBBYCAwECHgECF4AACgkQzG3xEdDSIIgJuACeKnHsfULnnU5Jo3NUvNCmOvd0QzgA njECURpBd/fh9tKV82as5mypCcrdiQIcBBABCAAGBQJKHo3wAAoJEBQaT+D3HcAayFAQANsN 5mn/yl6ANHfTjo9+uOidWEiRW7CE9jvhhOUt4q6Gbat35lYZONLMWsRczIi4ZdB+Yilf1hC6 76K+hC0+nLGUu6wGa9JhvZQpqcPSe6p0Ox6L55bj0uxuZZCrIJUxpCxdlNfuoEfymeRBeZia 0FpHk7ckRVI97yJqZiN1VezG8bTxqrAz1fvOTRE3h0k8W8iOD3oUDoGCei0zef4mUrX847Ai AbofKj9roXelUiWhLjMp5P6+3R2qjqptP7C+IRe/Bwne+03Z35pY7NM9MFqdrtp2bVFJiKV8 /Cxf7h5qRQ9qhoZ78mGR8OFtr/RE2oD8MpUWNnLT2JZBTd3Q9P71Ee5ZoCaZ7s4NB/YjzKMc Xs279OUBWGK13/suu5MSMkDjEJybyr4xF/CAVUz10hXD6h64LRp2V2WlYYT3YhKsaH5i66TR ccIlH9ABpoVMVDLG2RwvEd8dnovQbYbSQNRpq+6x9V9vAJscaDl3foidh15515v98dI0A3hy DmYYcz4VG036zNbrTy0BuGe28OeGXT9c7gBNo/gyxahTfXqgN+PPKecKS8fkob2ogcQyKE5i pQEHmCx1MkBdZj7Fn+vJGhUNIhGzRD3PxOYKVXoS1WPzQ09POsmtFgdy/BrxGiq1GoHZin7i Y0HV9pz0tnAla1svomLGmr4L731BupHgtEhDaHJpc3RvcGhlciBBcm1zdHJvbmcgKEFyY2hh ZW8tYWJzdHJhY3Rpb25pc3QpIDxyYWRpeEB0d2lzdGVkbWF0cml4LmNvbT6IRgQQEQIABgUC Q/cQHQAKCRCQeRbaG+ZC5UKkAKCMdisGt06GZ1nLIusLz0Szb+MdswCdF0ZKBdGTV5TViI/G z5fDIQb0ukmIRgQQEQIABgUCRJK49gAKCRAZrytUR0IRjbvSAJ9K+oGYTcpiUGMeYFY7tu21 SDDGcQCghYFf9bgCxj47h4OaUzYs7I88JfiIRgQQEQIABgUCRJK5LgAKCRAiU7KaZmQ6DBHN AJ9J4acjnhDYnvNQyBwdrWd7F/aetACdESIrrN1nbjwhtn5DUiUtDXx6B8SIRgQQEQIABgUC RJK9MwAKCRArc3QMcmecrZkSAJsEPWIPULirTAbhyQ6MnByItX3frgCcDkRfs/uPvwrE6ObV lDg1sqzCOj2IRgQQEQIABgUCRgxTywAKCRDRDlvQMQa8woEnAJ4sDoetfBt3btqwyj/8vsM0 oP9osgCdEUdQOP5/Rb4Qc0jc+Md/CkOklLWIRgQTEQIABgUCRJK6NgAKCRDo9TE19Tp5yr4/ AJ9PgioB4Ck6Xdh8NCirYNzsgFw7tACfT5d+Iln4J+HYzXTrFQNnHxZyJUiIWwQTEQIAGwUC Q/CKAQYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRDMbfER0NIgiAazAJ4mpKPvW49Y4kA0MmYy QbRMNcEJigCeLVsWEjLEcG/CBnoT7MENGsRxoJu5AQ0EQ/CKFxAEALtYeUcKFu1eJs+Gi2eJ 9pws08PUEjFZSUnkPPNwnH4L5yfL0ak0LTakkp3/L0X1g6gYu/zqf4893vYACKUMW3MYyyUu DiHczSAWNkwB4p3DIx3Mh40XdY2RzCtl8tfUOHzQA8kUfdK3w3JDEP1a0CrfkuGfZvs4wX3p jG8gKwUvAAQLA/9CaXeAahVzYE0zOC/t1O6rSIDfuMZaiY+YMCRSI2K5CCBYr4Dd+oeS4SBu yLybkYm0jSEhtYqX6Bwzh1j/Yv+DFoAe6DKzAqbmKNSclEST83U+BENRqGN9QQCzetoGPOrL AU04AWfER6NHM4UYInV11xZ0KtZZ+sGYQtsERGKJ9ohGBBgRAgAGBQJD8IoXAAoJEMxt8RHQ 0iCIIdEAniLtG+6GNmD93oCMNeTW3x5732kDAJ9qlLJf2ykJE0i7TwLg0p5QLgtxCQ== =7xrY -----END PGP PUBLIC KEY BLOCK-----