漏洞和事件处理¶
产品漏洞报告¶
参见
如果你已经使用 AI 来发现 Weblate 中的安全问题,请阅读 使用 AI 创建问题。
Weblate 开发团队坚定致力于安全相关问题负责任的报告和披露。我们已经实施并遵守和及时向 Weblate 传输安全更新目标相适应的政策。
Product vulnerability reports cover security issues in Weblate source code, release artifacts, and documented Weblate security properties. They do not replace operational incident response for a particular deployment.
多数 Weblate 中的常规 bug 可以报告到我们的公开 GitHub issues tracker,但由于安全问题的敏感本质,我们请求不要用这种方式公开报告此类问题。
假如您觉得在 Weblate 中发现了某些有安全影响的东西,请将此问题的描述提交到 security@weblate.org、GitHub 或使用 HackerOne 。
Self-hosted operators should use this process when they believe an incident in their own deployment is caused by a Weblate product vulnerability. Local containment, recovery, customer notification, provider escalation, and other deployment-specific incident response remain the operator's responsibility.
安全团队的一名成员会在 48 小时内回应你,取决于所采取的操作,你可能会收到更多的后续电子邮件。
备注
发送加密报告
如果想发送加密邮件(可选),请使用 security@weblate.org 的公钥,ID 为 8EA7 6E43 0976 3323 C2E3 D5A0 C472 9F23 8A80 EA93.
最常用的 key 服务器上有这枚公钥,使用 WKD 或 直接从 weblate.org.
Weblate 所运营服务的事故¶
Operational incidents affecting Hosted Weblate, Dedicated Weblate, or other deployments operated by Weblate s.r.o. are handled using Weblate 事件响应计划.
When such an incident also involves a Weblate product vulnerability, the vulnerability report and public advisory follow the product vulnerability reporting process and 漏洞披露政策 on this page.
自托管服务部署事故¶
Operators of self-hosted Weblate deployments are responsible for their local incident response process, including containment, recovery, notification, and provider-specific escalation. The Weblate-operated Weblate 事件响应计划 can be used as a reference, but it is not a maintained incident response plan for third-party deployments.
If a self-hosted incident appears to be caused by a Weblate product vulnerability, report it using the product vulnerability reporting process above.
漏洞披露政策¶
对于 Weblate 产品漏洞,发行包含漏洞修复版本后 30 天内,安全通告会被发布在 https://github.com/WeblateOrg/weblate/security/advisories。如可能,公告会在版本发布后马上可用。
任何遭活跃利用的 Weblate 漏洞或影响 Weblate 所运营服务的严重事故在 24 小时内通知 CSIRT,72 小时内提供一般信息给 CSIRT,14天内提供完整报告。
所有受活跃利用漏洞或严重事件影响的托管或专用 Weblate 的用户会在 7 天内收到通知。