You can report a security-related issue in Evergreen via the bug tracking system at https://bugs.launchpad.net/evergreen – be sure to check the box labeled "This bug is a security vulnerability".
While we prefer that security bugs be reported via Launchpad, they can also be reported to security@evergreen-ils.org.
NOTE: If you are an active Evergreen "bug wrangler" or similar, you may instead have an option to change "This bug contains information that is:" from "Public" to "Private Security".
While a security-related bug is in progress, the original submitter and the Launchpad team "Evergreen Security" are the only ones who can see the details of the bug. The current roster of individuals in the "Evergreen Security" launchpad team can be viewed here: https://launchpad.net/~evergreen-security
After a security bug has been evaluated and either fixed or found to be invalid, the full details of the bug will be publicly visible. Please avoid placing information in a security bug report which should not be made public in this manner.
After a security bug is reported in Launchpad, notification is sent to the members of the "Evergreen Security" Launchpad team.
Your bug report will be evaluated, and you may be contacted by the security team and asked to provide additional details.
The security team will work to develop a fix and/or workaround as appropriate.
Communication during the bug fixing process takes place within the Launchpad bug tracking system and/or via e-mail over the Evergreen security team mailing list.
When a fix for the security release is available, including instructions for how to apply the fix to an existing Evergreen installation, the Launchpad bug will be made public. An announcement will be made to the community regarding the nature of the issue, including a call for testers. Testers should note their success/failures directly in the Launchpad ticket.
After testing, the code will be merged to the relevant public Evergreen branches (origin/main, origin/rel_2_3, …) and the Launchpad entries will be marked as Fix Committed. From here, the process proceeds the same as a regular non-security release, though every effort will be made to cut the releases in a timely fashion.
Security releases are are announced via the Evergreen blog and via e-mail to the open-ils-general mailing list.
This section was proposed on 2015-03-12
The purpose of the Evergreen security team is to review reports of specific security flaws in Evergreen, to write and test patches to fix or ameliorate those flaws, and to perform security releases.
Membership in the Evergreen security team is available to individuals who meet all of the following conditions:
Membership applications may be made by contacting one of the current security team members; a list of the current members' names will be maintained on the Evergreen wiki. [(Proposed addition, pending approval) Application for membership should include indication that you have read and agree to the conditions stated above.]
Violations of the promises in (2) and (3) may result in immediate expulsion from the security team.
Membership in the security team belongs to individuals, not institutions. Membership comes with an expectation that each member will actively participate at least part of the time; it is not to be treated simply as a means of gaining early access to information about security vulnerabilities in Evergreen.
The team membership list will be reviewed annually; members who have not made substantive contributions to the team may be dropped from the list, but are free to apply to rejoin.
Members of the security team will have access to the following restricted resources in order to carry out their work: