security.html   [plain text]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<style type="text/css"> /* <![CDATA[ */
  @import "branding/css/tigris.css";
  @import "branding/css/inst.css";
  /* ]]> */</style>
<link rel="stylesheet" type="text/css" media="print"
  href="branding/css/print.css"/>
<script type="text/javascript" src="branding/scripts/tigris.js"></script>
<title>Subversion Security</title>
</head>

<body>
<div class="app">

<h2>Subversion Security</h2>

<p>If you discover a security vulnerability in Subversion, please
email this address (which is not hosted at tigris.org due to the need
for complete privacy):</p>

<!-- See http://www.cdt.org/speech/spam/030319spamreport.shtml for
     evidence that this has some effect. -->
<blockquote>
<p><strong><span>&#115;</span><span>&#118;</span><span>&#110;</span><span>&#115;</span><span>&#101;</span><span>&#099;</span><span>&#117;</span><span>&#114;</span><span>&#105;</span><span>&#116;</span><span>&#121;</span><span>&#032;</span><span>&#123;</span><span>&#064;</span><span>&#125;</span><span>&#032;</span><span>&#114;</span><span>&#101;</span><span>&#100;</span><span>&#045;</span><span>&#098;</span><span>&#101;</span><span>&#097;</span><span>&#110;</span><span>&#046;</span><span>&#099;</span><span>&#111;</span><span>&#109;</span></strong></p>
</blockquote>

<p>(Take off the spaces and curly braces, of course.)</p>

<p>It is safe to send sensitive reports to this address: list
membership is controlled, and the archives are not publicly
accessible.  We will analyze your report and take appropriate action.
Our usual procedure is to</p>

<ol>
   <li>Make a fix for the vulnerability.</li>

   <li>Discreetly distribute the fix to a few large sites that run
   Subversion servers and are trusted to be discreet themselves.</li>

   <li>Release a new version of Subversion (containing just that fix)
   and publicly announce the vulnerability on the same day.</li>
</ol>

<p>This procedure may vary depending on the nature of the
vulnerability and the degree of pre-existing public awareness, of
course.</p>

<p><span style="color: red"><i>Please do not reproduce the above email
address on other web pages or in public postings.</i></span> Due to
the need for responsiveness, the security list is unmoderated, which
makes it particularly vulnerable to spammers.  We want to avoid
changing the list address, because it's good to have a consistent,
dependable place to report security holes.</p>

<p>On this page, the address has been encoded in various ways to
reduce the likelihood of a spam harvester noticing it.  But if the
address starts appearing in other places on the Internet, then the
harvesters will inevitably pick it up, and we'll be stuck wading
through ever-increasing amounts of spam, trying not to lose important
vulnerability reports in the noise.</p>

</div>
</body>
</html>