Policy: Handling of security issues

If you find a possible security issue, either in the UnrealIRCd software itself or in unrealircd.org infrastructure, then please report it to us before making it public, as explained below. This way we can fix the issue and inform our users, allowing them to upgrade their servers before an issue is abused by bad guys.

''This wiki page is the long version of SECURITY.md. If you are looking for hands-on security tips, see the Security article.''

Reporting security issues
Please report security issues on the bug tracker at https://bugs.unrealircd.org/ and mark the issue as "private" in the bug submit form. If it's not a bug in the UnrealIRCd software itself or if you otherwise insist on e-mail then you can use syzop@unrealircd.org.

You should get a response or at least an acknowledgement soon. If you don't hear back after 24 hours, then please try to contact again.

DO NOT REPORT OR DISCUSS SECURITY ISSUES IN PUBLIC (so not on IRC/forums/..). If you are unsure if something is a security issue, then report it at the bug tracker as a 'private' bug anyway! Better safe than sorry. Again, do not discuss or ask around in IRC channels or forums.

Reward
UnrealIRCd is an Open Source project run by volunteers. Unfortunately we cannot provide security researchers any monetary reward. However, when a security issue is found and confirmed to be an issue (more on that below), then we will credit the researcher in the changelog. We thank you for keeping the servers of our users (many of which are volunteers too) secure.

The various factors
Similar to CVSS we can describe a number of factors that are involved with each security issue. We only discuss the ones we find relevant for our case (an IRC server).

Access vector

 * Unauthenticated or authenticated user
 * Requires IRCOp rights
 * Server-to-server traffic bugs
 * Shell access required

Impact

 * Disclosure of sensitive information
 * Privilege elevation from regular user to IRCOp
 * Crash or other DoS
 * Remote code execution

Additional factors

 * Whether a configuration setting required for the security issue is (highly) uncommon
 * If the issue is known by anyone else other than the UnrealIRCd coders and the person who submitted the issue, and (similarly) if it's being exploited in the wild already

Our policy

 * Immediate fix: release ASAP (days.. or even hours)
 * Fix later: fix in next upcoming release (may take several weeks)
 * Immediate fix / Fix later: depends on circumstances such as how many people know about the issue, how many people are affected, etc.
 * Normal bug: we do fix these sort of issues but they are treated as regular bugs.
 * No security issue: Not a security issue, for example exposing sensitive data to IRCOps is normal, similarly exploiting UnrealIRCd on the shell by the same uid as the uid running UnrealIRCd makes no sense.

Disclosure/Communication

 * Whenever security issues have been fixed in an UnrealIRCd release we will mention this in the release notes.
 * In case of a forced release we fully describe the impact and access vector so everyone is aware of how serious an issue is.
 * We send a message out to the unreal-notify mailing list. Everyone running UnrealIRCd should be subscribed to this list! We also post on twitter, the forums and the front page.
 * In case of a very grave security issue we may send out a pre-announcement saying that at day/time XYZ a security advisory will be released. The purpose of this is so people are "ready" to upgrade ASAP when the fix gets out.

Fix

 * We will always try to release both the .tar.gz (Source, eg: for *NIX) and Windows binaries for a release at the same time
 * We may provide a hot-patch, requiring no IRCd restart. But only if possible, and on a best-effort basis.