Diese Seite wurde zuletzt 2020-06 aktualisiert.

Dieser Prozessablauf wird derzeit geändert. Der aktuelle Stand kann hier eingesehen werden.

This page was last updated April 2023.

Researchers: during your study and network testing, we ask that you refrain from the following: - Performing active exploits or Denial of Service attacks on the I2P network - Performing social engineering on I2P team and community members - Performing any physical or electronic attempts against I2P property and/or data centers

As I2P is an open-source community, many volunteers and development team members run their own I2P Sites as well as public (“non-private internet”) domains. These sites/servers are NOT in the scope of the vulnerability assessment / response process, only the underlying code of I2P is.

I. Anlaufstelle für Sicherheitsprobleme

security (at) geti2p.net - GPG Key fingerprint = EA27 06D6 14F5 28DB 764B F47E CFCD C461 75E6 694A

II. Sicherheits-Reaktionsteam

Echelon is the trusted security point-of-contact. He forwards emails to team members as appropriate.

III. Reaktion auf Trobleshooting

  1. Researcher submits report via: security (at) geti2p.net
  2. Response Team designates a Response Manager who is in charge of the particular report based on availability and/or knowledge-set.
  3. In no more than 3 working days, Response Team should respond to researcher using only encrypted methods.
  4. Response Manager makes inquiries to satisfy any needed information and to confirm if submission is indeed a vulnerability.
    1. Wenn die Einreichung eine Sicherheitslücke darstellt, weiter im Ablauf.
    2. Wenn sie keine Sicherheitslücke ist:
      1. Der Response-Manager gibt eine begründete Antwort warum die Einreichung keine Sicherheitslücke darstellt.
      2. Der Response-Manager verschiebt die Diskussion in ein neues oder existierendes Ticket im öffentlichen Bereich des Trac falls nötig.
  5. Schweregrad der Sicherheitslücke feststellen:
    Betrifft das Netzwerk als solches, hat das Potential das ganze Netzwerk lahmzulegen oder gehört in die Größenordnung einer bedeutsamen Katastrophe.
    Affects individual routers, or must be carefully exploited.
    Kann nicht leicht ausgenutzt werden.
  6. Respond according to the severity of the vulnerability:
    1. Schweregrad HIGH muss auf der Website und im Nachrichten-Feed innerhalb von 3 Werktagen ab Einstufung bekannt gegeben werden.
      1. Die Bekanntmachung sollte den Nutzern angemessene Gegenmaßnahmen nahelegen, falls möglich.
      2. Die Bekanntmachung darf keine Details offenlegen, die eine Möglichkeit zur Ausnutzung aufzeigen.
      3. Letzteres hat Vorrang gegenüber ersterem.
    2. Schweregrade MEDIUM und HIGH erfordern ein Punkt-Release.
    3. Schweregrad LOW wird im nächsten regulären Release berücksichtigt.
  7. Das Reaktionsteam wendet geeignete Patches an.
    1. Response Manager works on a patch LOCALLY, patches are shared by the response team via PGP-encrypted e-mail until such a time as it is safe to expose to the public.
    2. Patches are reviewed with the researcher.
    3. Any messages associated with PUBLIC commits during the time of review should not make reference to the security nature of the PRIVATE branch or its commits.
    4. Die Ankündigung der Sicherheitslücke wird vorbereitet.
      1. Der Schweregrad der Sicherheitslücke soll darin enthalten sein.
      2. Die betroffenen Systeme/Applikationen sollen enthalten sein.
      3. Include solutions (if any) if patch cannot be applied.
    5. Releasedatum wird disktutiert.
  8. At release date, Response Team coordinates with developers to finalize update:
    1. Response Manager propagates the "hotfix branch" to trunk.
    2. Response Manager includes vulnerability announcement draft in release notes.
    3. Proceed with the Point or Regular Release. At this time, it is not possible to release an in-network update for only one operating system or architecture. In order that all affected products can be released as quickly as possible, the person responsible for that software should be able to perform necessary release processes in a timely manner. Importantly this should include consideration for package maintainers in Debian, Ubuntu and F-Droid.

IV. Post-release Disclosure Process

  1. Response Team has 90 days to fulfill all points within section III.
  2. If the Incident Response process in section III is successfully completed:
    1. Response Manager contacts researcher and asks if researcher wishes for credit.
    2. Die Ankündigung der Sicherheitslücke wird fertiggestellt und soll das Folgende enthalten:
      1. Projektname und URL.
      2. Betroffene Versionen, soweit bekannt.
      3. Nicht betroffene Versionen (z.B. wenn der sicherheitskritische Code in einer neuen Version hinzugekommen ist und ältere Versionen das Problem dadurch nicht haben).
      4. Ungeprüfte Versionen.
      5. Art der Sicherheitslücke und ihr Auswirkungen.
      6. If already obtained or applicable, a CVE-ID.
      7. The planned, coordinated release date.
      8. Mitigating factors (for example, the vulnerability is only exposed in uncommon, non-default configurations).
      9. Workarounds (configuration changes users can make to reduce their exposure to the vulnerability).
      10. If applicable, credits to the original reporter.
    3. Release finalized vulnerability announcement on website and in news feed.
      1. If the vulnerability may be exploited while the network is being upgraded, delay the announcement until the vulnerable routers are upgraded.
      2. After the update is successful, write the announcement for the news feed, send it for translation, and release it.
      3. When translations come in, news operators should pull in the translations and update their feeds.
    4. For HIGH severities, release finalized vulnerability announcement on well-known mailing lists:
      1. oss-security@lists.openwall.com
      2. bugtraq@securityfocus.com
    5. If applicable, developers request a CVE-ID.
      1. The commit that applied the fix is made reference too in a future commit and includes a CVE-ID.
  3. If the Incident Response process in section III is *not* successfully completed:
    1. Response Team and developers organize an IRC meeting to discuss why/what points in section III were not resolved and how the team can resolve them in the future.
    2. Any developer meetings immediately following the incident should include points made in section V.
    3. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus.
    4. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public.

V. Analyse des Vorfalls

  1. Codebasis isolieren
    1. Response Team and developers should coordinate to work on the following:
      1. Problematic implementation of classes/libraries/functions, etc.
      2. Focus on apps/distro packaging, etc.
      3. Operator/config error, etc.
  2. Auditing
    1. Response Team and developers should coordinate to work on the following:
      1. Auditing of problem area(s) as discussed in point 1.
      2. Generate internal reports and store for future reference.
      3. If results are not sensitive, share with the public via IRC or public Trac.
  3. Response Team has 45 days following completion of section III to ensure completion of section V.

VI. Resolutions

Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following:

  1. Trac
  2. IRC
  3. Email
  4. Twitter

VII. Kontinuierliche Verbesserungen

  1. Response Team and developers should hold annual meetings to review the previous year's incidents.
  2. Response Team or designated person(s) should give a brief presentation, including:
    1. Areas of I2P affected by the incidents.
    2. Any network downtime or monetary cost (if any) of the incidents.
    3. Ways in which the incidents could have been avoided (if any).
    4. How effective this process was in dealing with the incidents.
  3. After the presentation, Response Team and developers should discuss:
    1. Potential changes to development processes to reduce future incidents.
    2. Potential changes to this process to improve future responses.