By Nick Selby

Trail of Bits recently completed a security review of cURL, which is an amazing and ubiquitous tool for transferring data. We were really thrilled to see cURL founder and lead developer Daniel Stenberg write a blog post about the engagement and the report, and wanted to highlight some important things he pointed out.

In this post, Daniel dives into cURL’s growth since its last audit in 2016: the project; the codebase; and then into the work with Trail of Bits. He touched on both the engagement experience and the final report.

His blog post provides terrific and meaningful context. He gives us high praise, as well as actionable and meaningful critiques that our teams are considering for the future. He also highlights an area in which he disagrees with a finding, providing context on why, and provides links to the responses cURL made to each of the audit points.

We believe software providers should follow Daniel’s lead if they choose to publish their security reviews. This supplementary reading is deeply needed so software developers can provide greater context and clarity around their security decisions. This is a great example of how engineering teams can work with us, and we are very proud of the compliments and cognizant of our responsibility to diligently consider his critiques.

There is one vulnerability highlighted in Daniel’s post that is not included in the final report, because the bug was found after the review ended (our engineers kept a fuzzer rolling after the conclusion of the review). That bug, a use-after-free, is now known as CVE-2022-43552. The details are available on cURL’s website and were released in sync with the patch. Trail of Bits will have a blog post about the bug in the future.

While the bug itself isn’t a critical one, the process Daniel and other cURL maintainers took to fix it is a great example of a commitment to excellence. While some software developers think of discovering and patching vulnerabilities as something akin to failure, we believe it is a hallmark of how developers should handle security issues.

We highly recommend giving the audit report, the threat model, and Daniel’s post a read!

Open chat
Iam Guest Posting Service
I Have 600 Site
Status : Indexed All
Good DA : 40-60
Different Nice I Category
Drip Feed Allowed
I can instant publish

My Service :
1. I will do your orders maximum of 1X24 hours, if at the time i’am online. I will do a maximum of 1 hour and the process is complete.
2. If any of you orders are not completed a maximum of 1x24 hours, you do not have to pay me, or free.
3. For the weekend, I usually online, that weekend when i’am not online, it means i’am working Monday.
4. For the payment, maximum payed one day after published live link.
5. Payment via paypal account
If you interesting, please reply
Thank You