Dealing with security vulnerability reports

This information is intended for package authors who have packages incubated by the SSWG and listed on the SSWG’s package index. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over here.

The discovery of a security vulnerability in your code can be daunting, but it is part of the life of any software developer. So first of all, don’t stress. If you need any help at any step of the way, please feel free to contact any of the SSWG members or the group as a whole at sswg-security-reports@forums.swift.org.

Here is a step-by-step guide on what to do with regards to the SSWG:

1. The SSWG is only a secondary point of contact which can broadcast information about vulnerabilities. The best way to start is to start addressing the vulnerability according to the security process of your own package.
2. As soon as you can – but within 10 calendar days of discovering / receiving notification about the vulnerability – please notify the SSWG about the vulnerability at sswg-security-reports@forums.swift.org. The SSWG will not disclose any information about this vulnerability and the emails can only be seen by the SSWG members listed on the Server Section as well as the Swift Core team. If you prefer to share the vulnerability only with a smaller group, please feel free to reach out to any of the SSWG members individually.
3. After fixing the vulnerability, please promptly (within three days of releasing the fixed version) create a new Swift Forums post in the Server > Security Updates category, linking to your own security advisory. The security advisory should contain at least which versions of what software are affected and how to update to an unaffected version.

Graduated projects are expected to complete the whole process – from the initial report/discovery to fixing and publishing the vulnerability – within 30 days. We do however acknowledge that certain types of vulnerabilities are either very complicated to address or a part of a “coordinated disclosure” which means that 30 days may not be enough. That is absolutely understandable, please however make sure to inform the SSWG (at sswg-security-reports@forums.swift.org) about your anticipated timelines and any significant divergence from the plan.

A package maintainer’s failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project’s status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact on the ecosystem. SSWG actions will be decided on a case by case basis and require a super-majority vote.

Project authors are also encouraged to make use of their source control system security features (for example: GitHub’s “Security Advisories” and GitLab’s “Confidential Issues”) to manage the vulnerabilities and inform their users.