Skip to content

This repo functions as the hub for "open sourced" closed source vulnerabilities/advisories as well as educational writeups composed in collaboration with third parties on discovered vulnerabilities.

Notifications You must be signed in to change notification settings

cloudflare/advisories

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

📣 Cloudflare Vulnerability/Advisory Disclosure Hub

This repo functions as the hub for "open sourced" closed source vulnerabilities/advisories as well as educational writeups composed in collaboration with third parties on discovered vulnerabilities.

Why?

Every CVE that is filed must contain at least one "public reference". Section 8.3 and Section 8.1 of the CVE Entry requirements outline what information that reference should contain.

Many organizations maintain a page on their website that lists CVEs that they have filed. Generally, very little useful information is provided on these pages outside of the required details. It can also be challenging to discover this page on the site itself or be notified if a new entry has been added. Through a github repo we believe we can address these issues (easily discoverable, swift process for new content, people can watch the repo for updates) while meeting the reference requirement.

Additionally, many third party researchers compose writeups for their personal blogs to share on resumes or on social media. This is a great thing for us to continue to support in terms of helping peer review posts that researchers choose to share with us before going public. We would additionally like to give them the optional opportunity to additionally publish on our platform for increased visibility. Our goal is that this advisories repo will now double as a easily discoverable learning resource and educational hub on past publicly disclosed Cloudflare vulnerabilities.

A writeup may follow the format of:

  • What happened?
  • How it happened?
  • How it was fixed?

but can be adapted to the type of vulnerability. The style of these posts will be more casual and educational (code snippets, etc) than the published public blog post. The text from these writeups may make it into public blog posts for CVEs.

Advisory Process

This repo is owned by the Cloudflare Security Team who follow the below procedures.

Disclosing Vulnerabilities in Open Source Code

  1. Blog post is published on blog.cloudflare.com satisfying the Section 8.1 requirement.
  2. Github security advisory is published in the github repo itself.
  3. (Optional) Collaborate on a writeup in this repo.

Disclosing Vulnerabilities in Closed Source Code

  1. Blog post is published on blog.cloudflare.com satisfying the Section 8.1 requirement.
  2. Github security advisory is published in this repo.
  3. (Optional) Collaborate on a writeup in this repo.

Feedback

✉️ [email protected]

About

This repo functions as the hub for "open sourced" closed source vulnerabilities/advisories as well as educational writeups composed in collaboration with third parties on discovered vulnerabilities.

Resources

Code of conduct

Security policy

Stars

Watchers

Forks

Languages