www: c8d64457: First pass at a security page

elb at pidgin.im elb at pidgin.im
Thu Sep 3 14:16:32 EDT 2009

Revision: c8d6445755094e2bd8cf9fb874f4adfe5e1a4ae1
Ancestor: a6ad95fff27b854918c6969ce58739146052b2e1
Author: elb at pidgin.im
Date: 2009-09-03T18:12:42
Branch: im.pidgin.www
URL: http://d.pidgin.im/viewmtn/revision/info/c8d6445755094e2bd8cf9fb874f4adfe5e1a4ae1

Added files:
Added directories:


First pass at a security page

-------------- next part --------------
--- htdocs/security/index.php	54161a32cbf794cae7b2fdeebbf2aacf1b6950b6
+++ htdocs/security/index.php	54161a32cbf794cae7b2fdeebbf2aacf1b6950b6
@@ -0,0 +1,87 @@
+  // Update these to match the current page.
+  $page['title'] =   "Pidgin, libpurple, and finch security and vulnerabilities";
+  $page['section'] = "Security";
+  $page['description'] = "Security and vulnerability contact and process information for Pidgin and related projects.";
+  include($_SERVER['DOCUMENT_ROOT'] . "/../inc/header.inc");
+  include($_SERVER['DOCUMENT_ROOT'] . "/../inc/version.inc");
+<div id="content">
+<div class="box_full">
+<div id="main">
+<h1>Pidgin Security</h1>
+<p>Being a network client which interacts with untrusted users and
+servers, managing vulnerabilities and security response is important to
+the Pidgin project and to our users.  We have established procedures for
+collecting security-related information, and for disclosing this
+information to the public.
+<h2>Reporting a Security-related Issue</h2>
+If you believe you have discovered a security problem or vulnerability
+in Pidgin, libpurple, finch, or one of our related projects, please let
+us know by emailing
+<a href="mailto:security at pidgin.im">security at pidgin.im</a>.</p>
+<p>In order to help us fix the problem as quickly as possible and with
+as little exposure to malicious intent to our users as can be managed,
+we ask that you give us a chance to fix the problem before you publish
+its existence or details in a public forum, and that you provide us with
+as much information as you can.  In return, we will endeavor to respond
+to your concerns in a timely fashion.  When reporting a security-related
+bug or a vulnerability, please provide us with as much of the
+information in the following list as possible.  If you don't know what
+something is or how to provide it, that's OK, leave it out and tell us
+what you do know.</p>
+  <li><p>A way to contact you or your organization.</p></li>
+  <li><p>The version of Pidgin, libpurple, finch, or other package in
+  which the problem was discovered.</p></li>
+  <li><p>A concise description of the problem, including a summary of
+  why you believe it is security-critical.  This might be, for example,
+  "Receipt of an invalid XMPP message containing the tag &lt;foo&gt;
+  causes Pidgin to write data to an invalid memory location."</p></li>
+  <li><p>Steps to reproduce the problem, if known.</p></li>
+  <li><p>Any debugging information, including backtraces
+  (see <a href="http://developer.pidgin.im/wiki/GetABacktrace">our
+  instructions for obtaining a backtrace</a>), a debug log (the output
+  of pidgin -d), etc.</p></li>
+  <li><p>Any proof of concept exploits, debugging tools, or other
+  information you have and are willing to divulge.</p></li>
+  <li><p>The oldest and newest versions of our software affected by the
+  bug <em>to the best of your knowledge</em>.  If you don't know,
+  that's fine &mdash; we'll try to find out.</p></li>
+  <li><p>Information on any security reports or vulnerability
+  assessments you may have already made on the issue (preferably not
+  yet public, as mentioned above).</p></li>
+  <li><p>Any proposed embargo dates, release schedules, etc. you or your
+  organization may have established.</p></li>
+<h2>Receiving Security-related Reports</h2>
+<p>We maintain a list of packagers and maintainers of Pidgin and related
+software which we notify of security vulnerabilities and their fixes
+prior to disclosure to the public.  This allows packagers and
+distributors of our software to release patched or updated versions
+simultaneously with the public disclosure of known issues.  We attempt
+to provide sufficient advance warning to this list that packages may be
+properly prepared before disclosure.</p>
+<p>If you believe you should be on this list, please
+contact <a href="mailto:security at pidgin.im">security at pidgin.im</a> and
+let us know why.</p>
+<?php include($_SERVER['DOCUMENT_ROOT'] . "/../inc/footer.inc"); ?>

More information about the Commits mailing list