Policy: Handling of security issues

Below we describe our "official" policy as to how we handle security issues.

The various factors
Similar to CVSS we can describe a number of factors that are involved with each security issue. We only discuss the ones we find relevant for our case (an IRC server).

Access vector

 * Unauthenticated or authenticated user
 * Requires IRCOp rights
 * Server-to-server traffic bugs
 * Shell access required

Impact

 * Disclosure of sensitive information
 * Privilege elevation from regular user to IRCOp
 * Crash or other DoS
 * Remote code execution

Additional factors

 * Whether a configuration setting required for the security issue is (highly) uncommon
 * If the issue is known by anyone else other than the UnrealIRCd coders and the person who submitted the issue, and (similarly) if it's being exploited in the wild already

Our policy

 * Immediate fix: release ASAP (days.. or even hours)
 * Fix later: fix in next upcoming release (may take several weeks)
 * Immediate fix / Fix later: depends on circumstances such as how many people know about the issue, how many people are affected, etc.
 * Low(er) priority: we do fix these sort of issues but they are treated as regular bugs.
 * No security issue: Not a security issue, for example exposing sensitive data to IRCOps is normal, similarly exploiting UnrealIRCd on the shell by the same uid as the uid running UnrealIRCd makes no sense.

Disclosure
Whenever security issues have been fixed in an UnrealIRCd release we will mention this in the release notes.

In case of a forced release we fully describe the impact and access vector so everyone is aware of how serious an issue is.

We send a message out to the unreal-users and unreal-notify mailing lists. Everyone running UnrealIRCd should be subscribed to this list! (We mention this on the download page)

In case of a very grave security issue we may send out a pre-announcement saying that at day/time XYZ a security advisory will be released.

Fix

 * We will always release both the .tar.gz (Source, eg: for *NIX) and Windows binaries for a release at the same time
 * We try to provide a hot-patch, requiring no IRCd restart. But only if possible, and on a best-effort basis.
 * We usually don't show a clear link to a patch / source code change for the particular security fix, especially not the first XX hours.