Difference between revisions of "ADempiere Security Policy"
m (→What Is A Security Flaw?) |
|||
| Line 6: | Line 6: | ||
== What Is A Security Flaw? == | == What Is A Security Flaw? == | ||
''An error of commission or omission in a system that may allow protection mechanisms to be bypassed.''[http://www.ee.oulu.fi/research/ouspg/sage/glossary/]<br><br> | ''An error of commission or omission in a system that may allow protection mechanisms to be bypassed.''[http://www.ee.oulu.fi/research/ouspg/sage/glossary/]<br><br> | ||
| − | Put | + | Put simply, any bug that may lead to access (read/write/delete) to protected data without the user being authorised through ADempiere security and authorisation procedures is considered a security issue. |
<br>According to the definition, configuration problems do not count as security flaws unless they are caused by the default configuration of the ADempiere. | <br>According to the definition, configuration problems do not count as security flaws unless they are caused by the default configuration of the ADempiere. | ||
Revision as of 15:04, 1 July 2007
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. -Eugene H. Spafford
Contents
Introduction
If you have found a bug and are not sure whether it's a security flaw or not; or if you are sure about a security flaw and would like to report it ( thank you :-) ) then you've come to the right place.
What Is A Security Flaw?
An error of commission or omission in a system that may allow protection mechanisms to be bypassed.[1]
Put simply, any bug that may lead to access (read/write/delete) to protected data without the user being authorised through ADempiere security and authorisation procedures is considered a security issue.
According to the definition, configuration problems do not count as security flaws unless they are caused by the default configuration of the ADempiere.
How To Report?
It is assumed that you've tested the flaw thoroughly and are sure ( well, 70% sure :-) ) about it being a flaw.
First you need to create a report and then send it to security team.
Report Contents
- [Required] ADempiere version, eg. 3.2.0; or if you are working with the trunk, the revision number eg. 2435.
- [Required] Database vendor and version, eg. OracleXE 10.2.0 or PostgreSQL 8.2.4.
- [Optional] Operating system, eg. Debian 4.0 or Windows XP SP2
- [Optional] Internet browser, eg. Internet Explorer 6.0 or Firefox 2.0.0.3
- [Required] Steps to abuse the flaw; please describe step by step what to do in order to abuse the flaw.
- [Optional] Analysis; if you have some clue regarding the flaw it would be very good and helpful to attach them also.
Security Team
Please send your security reports only to security[ATSIGN]adempiere[DOTSIGN]org.
Please don't open a tracker (even private) or publish the security issue by other means, to give time to implementors and customers to fix the hole
Aknowledgments
We aknowledge the efforts and the time you spend to improve your own project by reporting security flaws to us. Thank you! -ADempiere Security Team
External Links
- Read the story of ADempiere security team.
