Policy: Handling of security issues

Below we describe our "official" policy as to how we handle security issues.

Reporting security issues
Please report security issues on the bug tracker at https://bugs.unrealircd.org/ and mark the issue as 'private' in the bug submit form. Do not report security issues in a public channel such as #unreal-support. If you insist on e-mail then you can use syzop@unrealircd.org or security@unrealircd.org. Again, the bug tracker is preferred.

You should get a response or at least an acknowledgement soon. If you don't hear back after 24 hours, then please try to contact again.

The various factors
Similar to CVSS we can describe a number of factors that are involved with each security issue. We only discuss the ones we find relevant for our case (an IRC server).

Access vector

 * Unauthenticated or authenticated user
 * Requires IRCOp rights
 * Server-to-server traffic bugs
 * Shell access required

Impact

 * Disclosure of sensitive information
 * Privilege elevation from regular user to IRCOp
 * Crash or other DoS
 * Remote code execution

Additional factors

 * Whether a configuration setting required for the security issue is (highly) uncommon
 * If the issue is known by anyone else other than the UnrealIRCd coders and the person who submitted the issue, and (similarly) if it's being exploited in the wild already

Our policy

 * Immediate fix: release ASAP (days.. or even hours)
 * Fix later: fix in next upcoming release (may take several weeks)
 * Immediate fix / Fix later: depends on circumstances such as how many people know about the issue, how many people are affected, etc.
 * Normal bug: we do fix these sort of issues but they are treated as regular bugs.
 * No security issue: Not a security issue, for example exposing sensitive data to IRCOps is normal, similarly exploiting UnrealIRCd on the shell by the same uid as the uid running UnrealIRCd makes no sense.

Disclosure/Communication

 * Whenever security issues have been fixed in an UnrealIRCd release we will mention this in the release notes.
 * In case of a forced release we fully describe the impact and access vector so everyone is aware of how serious an issue is.
 * We send a message out to the unreal-notify mailing list. Everyone running UnrealIRCd should be subscribed to this list! We also post on twitter, the forums and the front page.
 * In case of a very grave security issue we may send out a pre-announcement saying that at day/time XYZ a security advisory will be released. The purpose of this is so people are "ready" to upgrade ASAP when the fix gets out.

Fix

 * We will always release both the .tar.gz (Source, eg: for *NIX) and Windows binaries for a release at the same time
 * We try to provide a hot-patch, requiring no IRCd restart. But only if possible, and on a best-effort basis.