Clarifications on security vulnerability process
nezdolik opened this issue · 4 comments
Hi, is there is a security vulnerability reporting process for this project? Are vulnerabilities reported privately or in public?
Some context: Envoyproxy is considering to add Maxmind based geolocation filter as core dependency, and for that libmaxminddb needs to be evaluated against a list of criteria. Existence of security vulnerability process is one of such criteria.
I may need help with clearing out few more criteria for libmaxminddb in the list. Mainly below ones:
- Tests run in CI
- High test coverage (also static/dynamic analysis, fuzzing)
- Envoy can obtain advanced notification of vulnerabilities or of security releases
- Do other significant projects have shared fate by using this dependency? (Here from my research Nginx and Apache Traffic server have geoip2 modules/plugins based on this project)
Please let me know if I should create separate issue per each criteria
Hi! Thanks for contacting us about this:
is there is a security vulnerability reporting process for this project? Are vulnerabilities reported privately or in public?
We do not currently have a separate security reporting process. Security issues are currently reported here or via support@maxmind.com.
Tests run in CI
Yes, our tests run in CI.
High test coverage
I don't have the current coverage percentage, but they were high in the past and I believe them to still be high.
static/dynamic analysis, fuzzing
As you can see from the workflows I linked to, we currently run the tests with Clang's AddressSanitizer enabled. We also run Clang's static analysis and GitHub's CodeQL against the code. We also run afl-fuzz on the code, in particular when making more significant changes.
Envoy can obtain advanced notification of vulnerabilities or of security releases
We do not currently have a process for notifying third parties. Most reported security issues are fixed as soon as possible. See, e.g., 1, 2, 3
Do other significant projects have shared fate by using this dependency?
There are many projects that either use libmaxminddb directly or that have extensions or modules that use it. Here are a few based on reverse dependencies in Debian:
- bind9
- wireshark-common
- trafficserver
- syslog-ng-mod-geoip2
- suricata
- proftpd-mod-geoip2
- prelude-manager
- pmacct
- pdns-backend-geoip
- ocserv
- ntopng
- mailfromd
- logswan
- lighttpd-mod-maxminddb
- libpam-geoip
- libmodsecurity3
- knot-module-geoip
- kamailio-geoip2-modules
- inspircd
- goaccess
- gdnsd
- libnginx-mod-stream-geoip2
- libnginx-mod-http-geoip2
There are many hundreds of more, particularly once you count indirect reverse dependencies via things like geoip2 and maxminddb in Python.
It appears your questions have been answered. I am going to close out this issue. Please let me know if you have any follow-up questions.