From d7c9ede51d1ce98ece439bb8d5c54f30eb1ea50e Mon Sep 17 00:00:00 2001 From: Slavomir Date: Thu, 10 Jun 2021 20:33:01 +0300 Subject: [PATCH 1/4] Update all-for-one.md --- .github/ISSUE_TEMPLATE/all-for-one.md | 74 ++++++++++++++++++++++----- 1 file changed, 62 insertions(+), 12 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/all-for-one.md b/.github/ISSUE_TEMPLATE/all-for-one.md index e6b8580..335a63f 100644 --- a/.github/ISSUE_TEMPLATE/all-for-one.md +++ b/.github/ISSUE_TEMPLATE/all-for-one.md @@ -1,32 +1,82 @@ --- name: All for One, One For All bounty submission about: Submit a CodeQL query for the All For One, One For All bounty (https://securitylab.github.com/bounties) -title: "[USERNAME]: [SUMMARY]" +title: "[TARGET-LANGUAGE]: [SUMMARY]" labels: All For One assignees: '' --- -## Query +## 1. Query -*Link to pull request with your CodeQL query:* +### Instructions ❓ + +Link to pull request with your CodeQL query: + +### Your answer 👇 Relevant PR: https://github.com/github/codeql/pull/nnnn -## CVE ID(s) +## 2. Report -*List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).* +### Instructions ❓ -- CVE-20nn-nnnnn +Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community. + +### Your answer 👇 (you can ignore the suggested format) + +1. What is the vulnerability? + - Answer: ... +1. How does the vulnerability work? + - Answer: ... +1. What strategy do you use in your query to find the vulnerability? + - Answer: ... +1. How have you reduced the number of **false positives**? + - Answer: ... +1. Etc. + - Answer: ... + +## 3. Social + +### Instructions ❓ + +Are you planning to discuss your query publicly? (Blog Post, social networks, etc). + +**We would love to [help] you spread the word about the good work you are doing.** -## Report +### Your answer 👇 -*Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.* +- [ ] Yes +- [ ] No +- [ ] Yes, I already have: [link](link) -- [ ] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing* +## 4. Result(s) -## Result(s) +### Instructions ❓ -*Provide at least one useful result found by your query, on some revision of a real project.* +- Provide at least one useful result found by your query, on some revision of a real project. +- If the result(s) is **fixed and disclosed**, then you can link it in this PR. +- If the result(s) is **NOT** fixed **and disclosed**, then you can privately share your result via email to [security@github.com](mailto:security@github.com?subject=[BugBounty]%20Issue%20#000%20useful%20result) or on the [Security Lab slack](https://ghsecuritylab.slack.com/) sending it to `@TODO`. +- Even though your query is **out in the wild** (and it's quite trivial to run it against a sizable batch of projects), let's **not make things easy** for anyone wanting to exploit vulnerable projects. +- We understand that contacting maintainers of all the vulnerable repositories found by your query is a hard and lenghty process, and that's why we will add a bonus if you will do that **for at least X repositories** and get a [CVE assigned for them]. +- Anyway, we're here for **automating things away** and if you want to leave the heavy lifting of finding and notifying vulnerable repositories' owners to GitHub security bots, that's fine with us. +- But in any case, we need proof that you **did your own reaserch** on real projects, and succeeded in finding at least one **true positive result [through your query]**. -- [description](url) +### Your answer 👇 (select one) + +- [ ] I will provide the result(s) **privately** to the Security Lab. + +**OR** + +- [ ] The vulnerability is already **fixed and disclosed**. + - Description: URL to vulnerable code + +## 5. CVE ID(s) + +### Instructions ❓ + +List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories). + +### Your answer 👇 + +- CVE-20nn-nnnnn From 669b796f62373292ca47594fe57997425230beea Mon Sep 17 00:00:00 2001 From: Slavomir Date: Thu, 10 Jun 2021 21:07:49 +0200 Subject: [PATCH 2/4] Clarify distinction between existing CVEs and CVEs found with the submitted query --- .github/ISSUE_TEMPLATE/all-for-one.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/all-for-one.md b/.github/ISSUE_TEMPLATE/all-for-one.md index 335a63f..8eb4bb9 100644 --- a/.github/ISSUE_TEMPLATE/all-for-one.md +++ b/.github/ISSUE_TEMPLATE/all-for-one.md @@ -77,6 +77,11 @@ Are you planning to discuss your query publicly? (Blog Post, social networks, et List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories). + ### Your answer 👇 -- CVE-20nn-nnnnn +- Existing CVEs that my query would have been able to find if they weren't already fixed: + 1. CVE-20nn-nnnnn + +- Vulnerabilities that my query found and then resulted in a CVE: + 1. CVE-20nn-nnnnn From 1ada9d8069e7dc4c0dd0b85193205d709f209ff0 Mon Sep 17 00:00:00 2001 From: Slavomir Date: Thu, 10 Jun 2021 21:16:35 +0200 Subject: [PATCH 3/4] Fix phrasing --- .github/ISSUE_TEMPLATE/all-for-one.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/all-for-one.md b/.github/ISSUE_TEMPLATE/all-for-one.md index 8eb4bb9..13d5852 100644 --- a/.github/ISSUE_TEMPLATE/all-for-one.md +++ b/.github/ISSUE_TEMPLATE/all-for-one.md @@ -42,7 +42,7 @@ Describe the vulnerability. Provide any information you think will help GitHub a Are you planning to discuss your query publicly? (Blog Post, social networks, etc). -**We would love to [help] you spread the word about the good work you are doing.** +**We would love to [help you] spread the word about the good work you are doing.** ### Your answer 👇 @@ -56,7 +56,7 @@ Are you planning to discuss your query publicly? (Blog Post, social networks, et - Provide at least one useful result found by your query, on some revision of a real project. - If the result(s) is **fixed and disclosed**, then you can link it in this PR. -- If the result(s) is **NOT** fixed **and disclosed**, then you can privately share your result via email to [security@github.com](mailto:security@github.com?subject=[BugBounty]%20Issue%20#000%20useful%20result) or on the [Security Lab slack](https://ghsecuritylab.slack.com/) sending it to `@TODO`. +- If the result(s) is **NOT** fixed **nor disclosed**, then you can privately share your result via email to [security@github.com](mailto:security@github.com?subject=[BugBounty]%20Issue%20#000%20useful%20result) or on the [Security Lab slack](https://ghsecuritylab.slack.com/) sending it to `@TODO`. - Even though your query is **out in the wild** (and it's quite trivial to run it against a sizable batch of projects), let's **not make things easy** for anyone wanting to exploit vulnerable projects. - We understand that contacting maintainers of all the vulnerable repositories found by your query is a hard and lenghty process, and that's why we will add a bonus if you will do that **for at least X repositories** and get a [CVE assigned for them]. - Anyway, we're here for **automating things away** and if you want to leave the heavy lifting of finding and notifying vulnerable repositories' owners to GitHub security bots, that's fine with us. From 44c41313da3a7236a0f9676ff99a8cefd58f9189 Mon Sep 17 00:00:00 2001 From: Slavomir Date: Thu, 10 Jun 2021 21:28:31 +0200 Subject: [PATCH 4/4] Improve phrasing --- .github/ISSUE_TEMPLATE/all-for-one.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/all-for-one.md b/.github/ISSUE_TEMPLATE/all-for-one.md index 13d5852..dc6e914 100644 --- a/.github/ISSUE_TEMPLATE/all-for-one.md +++ b/.github/ISSUE_TEMPLATE/all-for-one.md @@ -60,7 +60,7 @@ Are you planning to discuss your query publicly? (Blog Post, social networks, et - Even though your query is **out in the wild** (and it's quite trivial to run it against a sizable batch of projects), let's **not make things easy** for anyone wanting to exploit vulnerable projects. - We understand that contacting maintainers of all the vulnerable repositories found by your query is a hard and lenghty process, and that's why we will add a bonus if you will do that **for at least X repositories** and get a [CVE assigned for them]. - Anyway, we're here for **automating things away** and if you want to leave the heavy lifting of finding and notifying vulnerable repositories' owners to GitHub security bots, that's fine with us. -- But in any case, we need proof that you **did your own reaserch** on real projects, and succeeded in finding at least one **true positive result [through your query]**. +- But in any case, we need proof that you **did your own reaserch** on [real projects], and succeeded in finding at least one **true positive result [through your query]**, proving that is it a **real vulnerability** that happens in real apps (and not a baseless assumption). ### Your answer 👇 (select one)