From 6890db2d53fb93d71c7df4efe5149022acf55fb7 Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Tue, 25 Jun 2019 17:29:54 -0700 Subject: [PATCH] CONTRIBUTING.md: Recommend yanking affected versions (closes #74) This seems like the best advice we can give for now --- CONTRIBUTING.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2d13804..c07dfa9 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -3,6 +3,8 @@ To add an advisory to the RustSec database, open a [Pull Request] against this repository containing the new advisory: +### Required Steps + 1. Create a file named `RUSTSEC-0000-0000.toml` in the `crates/` subdirectory of this repository (you may need to create it if it doesn't exist) 2. Copy and paste the [TOML advisory template] from the README.md file in this repo. @@ -10,11 +12,13 @@ this repository containing the new advisory: details of the advisory. 3. Open a [Pull Request]. After being reviewed your advisory will be assigned a `RUSTSEC-*` advisory identifier and be published to the database. -4. (Optional, but recommended) Request a CVE for your vulnerability: - https://iwantacve.org/ + +### Optional Steps -[Pull Request]: https://github.com/RustSec/advisory-db/pulls -[TOML advisory template]: https://github.com/RustSec/advisory-db#advisory-format +Feel free to do either or both of these as you see fit (we recommend you do both): + +4. [Yank] the affected versions of the crate. +5. Request a CVE for your vulnerability: https://iwantacve.org/ ## Criteria @@ -53,3 +57,7 @@ A: Yes, instead of creating a full advisory yourself you can also A: We do not presently handle embargoed vulnerabilities. Please ensure embargoes have been lifted and details have been disclosed to the public prior to filing them against RustSec. + +[Pull Request]: https://github.com/RustSec/advisory-db/pulls +[TOML advisory template]: https://github.com/RustSec/advisory-db#advisory-format +[Yank]: https://doc.rust-lang.org/cargo/commands/cargo-yank.html