- 02-memory/README.md: Remove broken example links, keep valid ones - CONTRIBUTING.md: Fix relative path to SECURITY.md - 07-plugins/README.md: Update MCP spec URL to working domain - .github/SECURITY_REPORTING.md: Update OWASP link to valid cheatsheet - .github/ISSUE_TEMPLATE/*: Replace placeholder links with comments - .github/markdown-link-check-config.json: Add ignore patterns for example URLs in code blocks (docs.example.com, template files)
310 lines
8.9 KiB
Markdown
310 lines
8.9 KiB
Markdown
# Security Vulnerability Reporting
|
|
|
|
This file explains how to report security vulnerabilities to the Claude How To project.
|
|
|
|
## Quick Links
|
|
|
|
- **Private Reporting**: https://github.com/luongnv89/claude-howto/security/advisories
|
|
- **Security Policy**: [SECURITY.md](../SECURITY.md)
|
|
- **Report Template**: See below
|
|
|
|
## Report a Vulnerability
|
|
|
|
### Option 1: GitHub Private Vulnerability Report (RECOMMENDED)
|
|
|
|
This is the preferred method for reporting security vulnerabilities.
|
|
|
|
**Steps:**
|
|
1. Go to: https://github.com/luongnv89/claude-howto/security/advisories
|
|
2. Click "Report a vulnerability"
|
|
3. Fill in the details (use template below)
|
|
4. Submit
|
|
|
|
**Advantages:**
|
|
- Keeps vulnerability private until fix is released
|
|
- Automatic notifications to maintainers
|
|
- Built-in collaboration features
|
|
- Integrated with GitHub security tools
|
|
|
|
### Option 2: GitHub Security Alert (For Dependencies)
|
|
|
|
If you discover a vulnerability in a dependency:
|
|
|
|
1. Go to: https://github.com/luongnv89/claude-howto/security/dependabot/alerts
|
|
2. Review the alert
|
|
3. Create a pull request with the fix
|
|
4. Tag with `security` label
|
|
|
|
### Option 3: Private Email (If GitHub unavailable)
|
|
|
|
If you cannot use GitHub's reporting system:
|
|
|
|
**Coming soon**: Security contact email will be added here
|
|
|
|
For now, use GitHub's private vulnerability reporting as described above.
|
|
|
|
## Vulnerability Report Template
|
|
|
|
Use this template when reporting a vulnerability:
|
|
|
|
```
|
|
**Title**: [Brief description of vulnerability]
|
|
|
|
**Severity**: [Critical/High/Medium/Low]
|
|
Estimated CVSS Score: [0-10]
|
|
|
|
**Type**: [Code/Documentation/Dependency/Configuration]
|
|
|
|
**Affected Component**:
|
|
- File: [path/to/file.py]
|
|
- Section: [Section name if documentation]
|
|
- Version: [latest/specific version]
|
|
|
|
**Description**:
|
|
[Clear explanation of what the vulnerability is]
|
|
|
|
**Potential Impact**:
|
|
[What could an attacker do with this vulnerability?]
|
|
[Who could be affected?]
|
|
|
|
**Steps to Reproduce**:
|
|
1. [First step]
|
|
2. [Second step]
|
|
3. [Third step]
|
|
[Expected result vs actual result]
|
|
|
|
**Proof of Concept** (if available):
|
|
[Code or steps to demonstrate the vulnerability]
|
|
|
|
**Suggested Fix**:
|
|
[Your recommended solution, if you have one]
|
|
|
|
**Additional Context**:
|
|
[Any other relevant information]
|
|
|
|
**Your Information**:
|
|
- Name: [Your name or anonymous]
|
|
- Email: [Your email]
|
|
- Credit: [How you'd like to be credited, if at all]
|
|
```
|
|
|
|
## What Happens After You Report
|
|
|
|
### Timeline
|
|
|
|
1. **Immediate (< 1 hour)**
|
|
- Automatic notification sent to project maintainers
|
|
|
|
2. **Within 24 hours**
|
|
- Initial assessment of the report
|
|
- Confirmation that we received it
|
|
- Preliminary severity assessment
|
|
|
|
3. **Within 48 hours**
|
|
- Detailed response from security team
|
|
- Questions for clarification (if needed)
|
|
- Timeline for fix (if vulnerability confirmed)
|
|
|
|
4. **Within 1-7 days** (depends on severity)
|
|
- Fix developed and tested
|
|
- Security advisory prepared
|
|
- Fix released and public advisory published
|
|
|
|
### Communication
|
|
|
|
We will keep you informed through:
|
|
- GitHub private vulnerability discussion
|
|
- Email (if provided)
|
|
- Updates in the discussion thread
|
|
|
|
You can:
|
|
- Ask clarifying questions
|
|
- Provide additional information
|
|
- Suggest improvements to the fix
|
|
- Request timeline adjustments
|
|
|
|
### Disclosure Timeline
|
|
|
|
**Critical Issues (CVSS 9.0-10.0)**
|
|
- Fix: Released immediately (within 24 hours)
|
|
- Disclosure: Public advisory issued same day
|
|
- Notice: 24 hours advance notice to reporter
|
|
|
|
**High Issues (CVSS 7.0-8.9)**
|
|
- Fix: Released within 48-72 hours
|
|
- Disclosure: Public advisory on release
|
|
- Notice: 5 days advance notice to reporter
|
|
|
|
**Medium Issues (CVSS 4.0-6.9)**
|
|
- Fix: Included in next regular update
|
|
- Disclosure: Public advisory on release
|
|
- Notice: Coordinated timing
|
|
|
|
**Low Issues (CVSS 0.1-3.9)**
|
|
- Fix: Included in next regular update
|
|
- Disclosure: Advisory on release
|
|
- Notice: Same day as release
|
|
|
|
## Security Vulnerability Criteria
|
|
|
|
### In Scope
|
|
|
|
We accept reports on:
|
|
|
|
- **Code Vulnerabilities**
|
|
- Injection attacks (command, SQL, etc.)
|
|
- Cross-site scripting (XSS) in examples
|
|
- Authentication/authorization flaws
|
|
- Path traversal vulnerabilities
|
|
- Cryptography issues
|
|
|
|
- **Documentation Security**
|
|
- Exposed secrets or credentials
|
|
- Insecure code patterns
|
|
- Security anti-patterns
|
|
- Misleading security claims
|
|
|
|
- **Dependency Vulnerabilities**
|
|
- Known CVEs in dependencies
|
|
- Supply chain attacks
|
|
- Malicious dependencies
|
|
|
|
- **Configuration Issues**
|
|
- Insecure defaults
|
|
- Missing security headers
|
|
- Credential exposure in examples
|
|
|
|
### Out of Scope
|
|
|
|
We do NOT accept reports on:
|
|
|
|
- Vulnerabilities in Claude Code itself (contact Anthropic)
|
|
- Vulnerabilities in external services
|
|
- Theoretical vulnerabilities without proof
|
|
- Issues already reported to upstream projects
|
|
- Social engineering or phishing
|
|
- User education/training issues
|
|
|
|
## Responsible Disclosure Guidelines
|
|
|
|
### Do's ✅
|
|
|
|
- **Report privately** before public disclosure
|
|
- **Be specific** with file paths and line numbers
|
|
- **Provide proof** of the vulnerability
|
|
- **Give us time** to fix (coordinated disclosure)
|
|
- **Update** if you discover more details
|
|
- **Be professional** in all communications
|
|
- **Respect confidentiality** until we publish
|
|
|
|
### Don'ts ❌
|
|
|
|
- **Don't publicly disclose** before we fix
|
|
- **Don't exploit** the vulnerability beyond testing
|
|
- **Don't modify** other users' data
|
|
- **Don't demand** payment or favors
|
|
- **Don't share** the vulnerability with others
|
|
- **Don't use** it in any harmful way
|
|
- **Don't spam** with non-security related issues
|
|
|
|
## Coordinated Disclosure
|
|
|
|
We practice responsible disclosure:
|
|
|
|
1. **Private Report**: You report to us privately
|
|
2. **Our Assessment**: We evaluate and assess severity
|
|
3. **Fix Development**: We develop and test a fix
|
|
4. **Advance Notice**: We give you advance notice before public disclosure
|
|
5. **Public Release**: We release fix and advisory together
|
|
6. **Your Credit**: We acknowledge your contribution (if desired)
|
|
|
|
**Timeline varies based on severity** (see section above)
|
|
|
|
## After the Fix is Released
|
|
|
|
### Public Advisory
|
|
|
|
A public security advisory will include:
|
|
- Description of the vulnerability
|
|
- Affected versions
|
|
- Severity (CVSS score)
|
|
- Steps to remediate
|
|
- Link to the fix
|
|
- Credit to reporter (with permission)
|
|
|
|
### Your Recognition
|
|
|
|
If you wish to be credited:
|
|
- Your name/handle in the advisory
|
|
- Link to your profile/website
|
|
- Mention in release notes
|
|
- Addition to hall of fame (if created)
|
|
|
|
### No Compensation
|
|
|
|
Please note:
|
|
- This is a volunteer-run open-source project
|
|
- We cannot offer financial rewards
|
|
- We do offer recognition and credit
|
|
- Your contribution helps the community
|
|
|
|
## Security Research
|
|
|
|
If you're conducting security research:
|
|
|
|
1. **Get Permission**: Contact maintainers first
|
|
2. **Define Scope**: Agree on what you'll test
|
|
3. **Report Findings**: Use this process
|
|
4. **Respect Timeline**: Allow time for fixes
|
|
5. **Publish Responsibly**: Coordinate with us
|
|
|
|
## Questions?
|
|
|
|
For questions about this process:
|
|
|
|
1. Check [SECURITY.md](../SECURITY.md) for detailed policy
|
|
2. Look at [FAQ](#faq) section below
|
|
3. Open a discussion with `[SECURITY]` label
|
|
4. Use private vulnerability reporting for sensitive questions
|
|
|
|
## FAQ
|
|
|
|
**Q: Will my report be kept confidential?**
|
|
A: Yes, until the fix is released. We only share details with those working on the fix.
|
|
|
|
**Q: How long do I need to wait before public disclosure?**
|
|
A: We follow responsible disclosure timelines based on severity (24 hours to 7 days). You can agree to extend this if needed.
|
|
|
|
**Q: Will I get credit?**
|
|
A: Yes, in the security advisory and release notes (unless you prefer anonymity).
|
|
|
|
**Q: What if the vulnerability is minor?**
|
|
A: All legitimate security issues are taken seriously. Even minor fixes will be acknowledged.
|
|
|
|
**Q: Can I report vulnerabilities in documentation only?**
|
|
A: Yes! Documentation security is important too. Examples with insecure patterns are in scope.
|
|
|
|
**Q: What if I'm not sure if something is a security issue?**
|
|
A: Report it anyway! If it's not a security issue, we'll let you know. False positives are fine.
|
|
|
|
**Q: Can I publicly discuss the vulnerability after reporting?**
|
|
A: No, please keep it private until we publish the advisory. Premature disclosure could put users at risk.
|
|
|
|
**Q: How do I know you received my report?**
|
|
A: GitHub will send an automatic notification, and we'll follow up within 24 hours.
|
|
|
|
**Q: What if I don't hear back?**
|
|
A: Check GitHub security advisories page. If you still don't see a response, you can follow up with a comment on the private report.
|
|
|
|
## Resources
|
|
|
|
- [SECURITY.md](../SECURITY.md) - Full security policy
|
|
- [CONTRIBUTING.md](../CONTRIBUTING.md) - Contributing guidelines
|
|
- [CODE_OF_CONDUCT.md](../CODE_OF_CONDUCT.md) - Community standards
|
|
- [OWASP Vulnerability Disclosure](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html) - Responsible disclosure best practices
|
|
- [Coordinated Vulnerability Disclosure](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html)
|
|
|
|
---
|
|
|
|
Thank you for helping keep this project secure! 🔒
|