hugo/content/about/security/_index.md

Sun, 10 Nov 2024 00:47:44 -0600

author
Gary Kramlich <grim@reaperworld.com>
date
Sun, 10 Nov 2024 00:47:44 -0600
changeset 544
6532ddaa3587
parent 467
fb9521f27d7d
permissions
-rw-r--r--

Add EionRobb's ChatGPT protocol plugin and update the signal protocol plugins

Testing Done:
Ran `npm run hugo:server` and verified it locally.

Reviewed at https://reviews.imfreedom.org/r/3649/

---
title: Security
type: security
weight: 1000
---

Being a network client which interacts with untrusted users and servers,
managing vulnerabilities and security response is important to the Pidgin
project and to our users.  We have established procedures for collecting
security-related information, and for disclosing this information to the
public.

Please see our comprehensive [list of known and reported security
advisories]({{< ref "about/security/advisories" >}}) for information on past
vulnerabilities.

## Reporting a Security-related Issue

If you believe you have discovered a security problem or vulnerability in
Pidgin, libpurple, Finch, or one of our related projects, please let us know
by using one of the following methods:

* **Our preferred way:** Emailing
  [security@pidgin.im](mailto:security@pidgin.im).
  If you choose this method and would like to encrypt the contents of your
  email, you may use the [pgp key of our lead developer]({{< static
  "pgp-pubkey/grim-pubkey.asc" >}}).
* Use this specific
  [new issue](https://issues.imfreedom.org/newIssue?project=PIDGIN&c=visible%20to%20Pidgin%20Developers)
  link, which will create a new issue in our issue tracker while ensuring that
  its visibility is set so that it's only visible to the `Pidgin Developers`
  team. The visibility selection we are referring to can be verified by looking
  for it right above the *Create* button. Setting a limited visibility is of
  *utmost* importance as otherwise we'd need to consider the vulnerability to
  have been made public since everyone could read it from our issue tracker.

In order to help us fix the problem as quickly as possible and with as little
exposure to malicious intent to our users as can be managed, we ask that you
give us a chance to fix the problem before you publish its existence or details
in a public forum, and that you provide us with as much information as you can.
In return, we will endeavor to respond to your concerns in a timely fashion.
When reporting a security-related bug or a vulnerability, please provide us
with as much of the information in the following list as possible.  If you
don't know what something is or how to provide it, that's OK, leave it out and
tell us what you do know.

* A way to contact you or your organization.
* The version of Pidgin, libpurple, Finch, or other package in which the
  problem was discovered.
* A concise description of the problem, including a summary of why you believe
  it is security-critical.  This might be, for example, "Receipt of an invalid
  XMPP message containing the tag `<foo>`; causes Pidgin to write data to an
  invalid memory location."
* Steps to reproduce the problem, if known.
* Any debugging information, including backtraces (see our instructions for
  [obtaining a backtrace]({{< ref "development/debugging#obtaining-a-backtrace" >}}),
  a debug log (the output of `pidgin --debug`), etc.
* Any proof of concept exploits, debugging tools, or other information you have
  and are willing to divulge.
* The oldest and newest versions of our software affected by the bug *to the
  best of your knowledge*.  If you don't know, that's fine &mdash; we'll try to
  find out.
* Information on any security reports or vulnerability assessments you may have
  already made on the issue (preferably not yet public, as mentioned above).
* Any proposed embargo dates, release schedules, etc. you or your organization
  may have established.

## Receiving Security-related Reports

We maintain a list of packagers and maintainers of Pidgin and related software
which we notify of security vulnerabilities and their fixes prior to disclosure
to the public.  This allows packagers and distributors of our software to
release patched or updated versions simultaneously with the public disclosure
of known issues.  We attempt to provide sufficient advance warning to this list
that packages may be properly prepared before disclosure.

If you believe you should be on this list, please contact
[security@pidgin.im](mailto:security@pidgin.im) and let us know why.

mercurial