You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2022/11/01 20:33:56 UTC

[solr-site] branch main updated: Warn about scans in security section. (#80)

This is an automated email from the ASF dual-hosted git repository.

houston pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 9822bd2f7 Warn about scans in security section. (#80)
9822bd2f7 is described below

commit 9822bd2f7ec1ca38c1932d11ab0268e8ed171b05
Author: Houston Putman <ho...@apache.org>
AuthorDate: Tue Nov 1 16:33:51 2022 -0400

    Warn about scans in security section. (#80)
    
    Co-authored-by: David Smiley <ds...@apache.org>
---
 content/pages/security.md | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/content/pages/security.md b/content/pages/security.md
index 7ed73b1e5..a60272e6b 100644
--- a/content/pages/security.md
+++ b/content/pages/security.md
@@ -4,9 +4,24 @@ save_as: security.html
 template: security
 
 ## How to report a security issue
-If you believe you have discovered a vulnerability in Solr, you may first want to consult the [list of known false positives](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) to make sure you are reporting a real vulnerability.
-Then please disclose responsibly by following [these ASF guidelines](https://www.apache.org/security/) for reporting.
 
+### CVEs in Solr dependencies
+
+The Solr PMC will not accept the output of a vulnerability scan as a security report.
+
+Solr depends on lots of other open-source software -- "dependencies".
+If a CVE is published (a publicly identified vulnerability) against one of them, the Solr project will review it to see if it's actually exploitable in Solr -- usually they aren't.
+Please review the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) before taking any steps.
+If you **don't** see a CVE there, you should take the following steps:
+
+1. Search through the [Solr users mailing list](https://lists.apache.org/list.html?users@solr.apache.org) to see if anyone else has brought up this dependency CVE.
+1. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE.
+
+### Exploits found in Solr
+
+The Solr PMC greatly appreciates the reporting of security vulnerabilities found in Solr itself.
+
+Then please disclose responsibly by following [these ASF guidelines](https://www.apache.org/security/) for reporting.
 You may file your request by email to <ma...@solr.apache.org>.
 
 ## More information