reports: add 2024 Q3 report

reports/2024-11-14-Q3-report.md

@@ -0,0 +1,145 @@
+# Haskell Security Response Team - 2024 July–October report + new members
+
+The Haskell Security Response Team (SRT) is a volunteer organization
+within the Haskell Foundation that is building tools and processes
+to aid the entire Haskell ecosystem in assessing and responding to
+security risks.  In particular, we maintain a [database][repo] of
+security advisories that can serve as a data source for security
+tooling.
+
+This report details the SRT activities from July through October
+\2024.  We extended this reporting period by one month to include
+the results of our recent Call for Volunteers.
+
+[repo]: https://github.com/haskell/security-advisories
+
+The SRT is:
+
+- Fraser Tweedale
+- Gautier Di Folco
+- Lei Zhu (new!)
+- Mihai Maruseac
+- Montez Fitzpatrick (new!)
+- Tristan de Cacqueray
+
+
+## How to contact the SRT
+
+For assistance in coordinating a security response to newly
+discovered, high impact vulnerabilities, contact
+`[email protected]`.  Due to limited resources, we can
+only coordinate embargoed disclosures for high impact
+vulnerabilities affecting current versions of core Haskell tools and
+libraries, or in other exceptional cases.
+
+You can submit lower-impact or historical vulnerabilities to the
+advisory database via a pull request to our [GitHub
+repository][repo].
+
+You can also contact the SRT about non-advisory/security-response
+topics.  We prefer public communication where possible.  In most
+cases, [GitHub issues][gh-new-issue] are an appropriate forum.  But
+the mail address is there if no other appropriate channel exists.
+
+[gh-new-issue]: https://github.com/haskell/security-advisories/issues/new/choose
+
+
+## Growing the SRT
+
+Following our mid-year decision to grow the SRT, José on behalf of
+the SRT published a [Call for Volunteers].  Applications closed at
+the end of September, with 4 applications received.  Thank you to
+all applicants!  We accepted 2 of the proposals, having in mind the
+long term sustainability of the SRT as a volunteer organisation
+(i.e. we should avoid burning the willing volunteers all at once!)
+
+The new members of the SRT are:
+
+- **Lei Zhu**, who brings experience with web security, Linux
+  security, privacy regulations and threat analysis.  Lei has also
+  contributed to HLS, vscode-haskell, and related projects, and
+  maintains the *array* package.
+
+- **Montez Fitzpatrick** has a breadth of cybersecurity experience
+  across two decades.  As CISO of a healthcare company, GRC is
+  his current focus.  He has used Haskell professionally to build
+  tooling for cybersecurity tasks.
+  and is currently the CISO of a healthcare company.
+
+Welcome to the team!
+
+[Call for Volunteers]: https://discourse.haskell.org/t/call-for-volunteers-haskell-security-response-team-2024/10287
+
+
+## Advisory database
+
+1 contemporary advisory was published during the reporting period.
+
+0 historical advisories were added during the reporting period.
+
+2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) **remain** reserved
+for embargoed vulnerabilities, which will be published later.
+
+Additionally, [HSEC-2024-0003] received substantive updates, because
+it was discovered that the original fix was incomplete.
+
+We ask community members to report any known security issues,
+including historical issues, that are not yet included.
+
+[HSEC-2024-0003]: https://osv.dev/vulnerability/HSEC-2024-0003
+
+
+## `haskell.org` Apache security update
+
+In early August bug hunter Divya Singh ([Dgirlwhohacks]) notified
+the SRT that the version of Apache httpd serving `haskell.org` was
+vulnerable to CRLF injection.  We escalated the issue to the
+[Haskell Infrastructure Admins][haskell-infra], and Gershom Bazerman
+promptly resolved the issue by upgrading Apache.  Thanks to Divya
+for reporting, and Gershom for fixing the issue.
+
+[Dgirlwhohacks]: https://www.linkedin.com/in/dgirlwhohacks/
+[haskell-infra]: https://github.com/haskell-infra/haskell-admins
+
+
+## *hackage-server* "Reporting Vulnerabilities" link
+
+Gautier implemented a *Reporting Vulnerabilities* link on package
+pages in *hackage-server* ([pull request #1292]).  The change has
+been deployed on `hackage.haskell.org`.  For now it links to
+`CONTRIBUTING.md` in the *haskell/security-advisories* GitHub
+repository.
+
+In the future we would like to improve the contributor experience
+(e.g. a web form).  But this small change is a big improvement
+because it alerts users that they *can* report security issues.
+
+[pull request #1292]: https://github.com/haskell/hackage-server/pull/1292
+
+
+## Tooling updates
+
+- CVSS 4.0 support is stalled.  andrii (@unorsk) did significant
+  initial work, and Fraser is reviewing, iterating and integrating
+  it.  CVSS 4.0 is *much* more complex than previous versions, and
+  parts of the specification are ambiguous.  We hope to finish the
+  implementation and release updates around the end of year.
+
+- Hécate is working on integrating security advisory data in
+  *flora-server* ([pull
+  request](https://github.com/flora-pm/flora-server/pull/762)).
+  They engaged the SRT for review (Gautier answered the call).
+
+- Because [Flora](https://flora.pm/) indexes Haskell packages from
+  namespaces beyond Hackage (e.g. Cardano), there is an ask
+  ([#240](https://github.com/haskell/security-advisories/issues/240))
+  to extend the Advisory DB data model and tooling to support
+  additional namespaces.  We have agreed on the approach but we have
+  not started implementing it.
+
+- Mihai has been following the work by Janus Troelsen to add Haskell
+  support to [Renovate](https://github.com/renovatebot/renovate), an
+  automated dependency update tool.
+  - [Feature request](https://github.com/renovatebot/renovate/issues/8187)
+  - [PVP versioning module discussion](https://github.com/renovatebot/renovate/discussions/31663)
+  - [PVP versioning scheme pull request (open)](https://github.com/renovatebot/renovate/pull/32298)