Submitting a CVE

The StackStorm approach to Security is described at https://stackstorm.com/security/. It includes CVE ID for each security vulnerability, StackStorm versions affected, URL to descriptions, and the reporter's name who discovered the vulnerability.

Every vulnerability found in StackStorm should have a respective CVE associated.

Here is the process for requesting a CVE ID:

1. First of all, once the vulnerability is reported by someone, - acknowledge the report, verify it's a valid exploitable issue, thank the researcher and provide the next steps via email (always cc security [at] stackstorm.com so the conversation is automatically shared with the other StackStorm TSC members).
2. Once sufficient details about the security vulnerability are discovered, Request a CVE ID via https://cveform.mitre.org/. Use security [at] stackstorm.com as an email. This will reserve a unique ID for future use without publishing any details yet.
3. Fix the issue in the code. Don't disclose or hint at any details about the security vulnerability at this point as that will expose StackStorm before releasing a fixed version.
4. Request an update to existing CVE Entry at https://cveform.mitre.org/ including more details and descriptions about the exploitation.
5. Release the new fixed StackStorm version
   1. Publish a blog describing the exploit, mentioning CVE ID and the researcher's name
   2. Update https://stackstorm.com/security/ with CVE, blog post URL, researcher's name
6. Notify CVE about publication at https://cveform.mitre.org/ including existing CVE ID and Release Announcement URL describing the security issue.