Submitting a CVE

The StackStorm approach to Security is described at https://stackstorm.com/security/. It includes CVE ID for each security vulnerability, StackStorm versions affected, URL to descriptions, and the reporter's name who discovered the vulnerability.

Every vulnerability found in StackStorm should have a respective CVE associated.

Here is the process for requesting a CVE ID:

1. First of all, once the vulnerability is reported by someone, - acknowledge the report, verify it's a valid exploitable issue, thank the researcher and provide the next steps via email (always cc security [at] stackstorm.com so the conversation is automatically shared with the other StackStorm TSC members).
2. Once sufficient details about the security vulnerability are researched, Request a CVE ID via https://cveform.mitre.org/. Use security [at] stackstorm.com as an email. This will RESERVE a unique ID for future use without publishing any details yet. Include sufficient information about the vulnerability:
   1. Guide 1
   2. Guide 2
   3. Phrasing guidelines
3. Fix the issue in the code. Don't disclose or hint at any details about the security vulnerability at this point as that will expose StackStorm before releasing a fixed version.
4. Request an update to existing CVE Entry at https://cveform.mitre.org/ including more details and descriptions about the exploitation.
5. Release the new fixed StackStorm version
   1. Publish a blog describing the exploit, mentioning CVE ID and the researcher's name
   2. Update https://stackstorm.com/security/ with CVE, blog post URL, researcher's name
6. Notify CVE about publication at https://cveform.mitre.org/ including existing CVE ID and Release Announcement URL describing the security issue.