Skip to content

Latest commit

 

History

History
61 lines (45 loc) · 3.14 KB

README.md

File metadata and controls

61 lines (45 loc) · 3.14 KB

📣 Cloudflare Vulnerability/Advisory Disclosure Hub

This repo functions as the hub for "open sourced" closed source vulnerabilities/advisories as well as educational writeups composed in collaboration with third parties on discovered vulnerabilities.

Why?

Every CVE that is filed must contain at least one "public reference". Section 8.3 and Section 8.1 of the CVE Entry requirements outline what information that reference should contain.

Many organizations maintain a page on their website that lists CVEs that they have filed. Generally, very little useful information is provided on these pages outside of the required details. It can also be challenging to discover this page on the site itself or be notified if a new entry has been added. Through a github repo we believe we can address these issues (easily discoverable, swift process for new content, people can watch the repo for updates) while meeting the reference requirement.

Additionally, many third party researchers compose writeups for their personal blogs to share on resumes or on social media. This is a great thing for us to continue to support in terms of helping peer review posts that researchers choose to share with us before going public. We would additionally like to give them the optional opportunity to additionally publish on our platform for increased visibility. Our goal is that this advisories repo will now double as a easily discoverable learning resource and educational hub on past publicly disclosed Cloudflare vulnerabilities.

A writeup may follow the format of:

  • What happened?
  • How it happened?
  • How it was fixed?

but can be adapted to the type of vulnerability. The style of these posts will be more casual and educational (code snippets, etc) than the published public blog post. The text from these writeups may make it into public blog posts for CVEs.

Advisory Process

This repo is owned by the Cloudflare Security Team who follow the below procedures.

Disclosing Vulnerabilities in Open Source Code

  1. Blog post is published on blog.cloudflare.com satisfying the Section 8.1 requirement.
  2. Github security advisory is published in the github repo itself.
  3. (Optional) Collaborate on a writeup in this repo.

Disclosing Vulnerabilities in Closed Source Code

  1. Blog post is published on blog.cloudflare.com satisfying the Section 8.1 requirement.
  2. Github security advisory is published in this repo.
  3. (Optional) Collaborate on a writeup in this repo.

Feedback

✉️ security@cloudflare.com