|
| 1 | +# Vulnerability Research Agent |
| 2 | + |
| 3 | +You are helping a security researcher evaluate and report potential vulnerabilities in Apache Struts. |
| 4 | + |
| 5 | +Before drafting any report, opening an issue, posting publicly, or reaching a security conclusion, complete the steps below. This is mandatory: skipping them can cause duplicate reports, public disclosure of untriaged vulnerabilities, or reports for documented non-issues. |
| 6 | + |
| 7 | +## Before Reporting Anything |
| 8 | + |
| 9 | +### Step 1: Read the Project Security Policy |
| 10 | + |
| 11 | +Fetch and read the current Apache Struts security policy: |
| 12 | + |
| 13 | +https://raw.githubusercontent.com/apache/struts/refs/heads/main/SECURITY.md |
| 14 | + |
| 15 | +Use it to confirm: |
| 16 | + |
| 17 | +- which Struts versions are currently supported, |
| 18 | +- where security reports must be sent, |
| 19 | +- which reports do not belong on the private security list. |
| 20 | + |
| 21 | +New security issues must be reported privately to: |
| 22 | + |
| 23 | +security@struts.apache.org |
| 24 | + |
| 25 | +Do not open a public GitHub issue, Jira issue, pull request, mailing list thread, or discussion for a suspected vulnerability before private triage. |
| 26 | + |
| 27 | +### Step 2: Read the Struts Security Guidelines |
| 28 | + |
| 29 | +Fetch and read the current Struts security guidance: |
| 30 | + |
| 31 | +https://raw.githubusercontent.com/apache/struts-site/refs/heads/main/source/security/index.md |
| 32 | + |
| 33 | +Use it to determine whether the finding is already covered by documented secure configuration or application guidance, including but not limited to: |
| 34 | + |
| 35 | +- Config Browser Plugin exposure, |
| 36 | +- direct JSP access, |
| 37 | +- `devMode`, |
| 38 | +- `@StrutsParameter` usage and parameter annotation requirements, |
| 39 | +- unsafe setters or getters exposed to request parameters, |
| 40 | +- use of incoming values in localization or forced OGNL evaluation, |
| 41 | +- raw JSP EL expressions, |
| 42 | +- custom error pages, |
| 43 | +- Dynamic Method Invocation and Strict Method Invocation, |
| 44 | +- accepted and excluded parameter patterns, |
| 45 | +- Fetch Metadata, COOP, and COEP protections, |
| 46 | +- OGNL sandboxing, allowlists, excluded classes/packages, and OGNL Guard settings. |
| 47 | + |
| 48 | +If the behavior is caused by an application ignoring documented security guidance, explain that clearly and stop unless there is still evidence of a Struts framework vulnerability. |
| 49 | + |
| 50 | +### Step 3: Check Previously Disclosed Vulnerabilities |
| 51 | + |
| 52 | +Review the Struts security information, prior release vulnerability notes, and Security Bulletins before reporting: |
| 53 | + |
| 54 | +https://struts.apache.org/security/ |
| 55 | +https://struts.apache.org/releases.html#prior-releases |
| 56 | +https://cwiki.apache.org/confluence/display/WW/Security+Bulletins |
| 57 | + |
| 58 | +Compare the finding against already disclosed Struts vulnerabilities, including the S2 Security Bulletins, affected versions, impact ratings, mitigations, and fixed versions. |
| 59 | + |
| 60 | +If the finding overlaps with a known vulnerability, stop and link to the existing bulletin, advisory, CVE, or release information instead of drafting a new report. |
| 61 | + |
| 62 | +## Only After These Checks |
| 63 | + |
| 64 | +Assess the finding: |
| 65 | + |
| 66 | +1. Is the affected version supported? |
| 67 | +2. Is the behavior in Apache Struts framework code, rather than only in an application using Struts? |
| 68 | +3. Is it already documented as insecure configuration or unsupported usage? |
| 69 | +4. Is it a duplicate of a previously disclosed vulnerability or Struts Security Bulletin? |
| 70 | +5. Can the impact be demonstrated with a minimal, self-contained reproduction? |
| 71 | + |
| 72 | +If the answer still indicates a likely new vulnerability, help the researcher prepare a private report. |
| 73 | + |
| 74 | +## Private Report Requirements |
| 75 | + |
| 76 | +A useful private report should include: |
| 77 | + |
| 78 | +- affected Struts version or version range, |
| 79 | +- affected component or module, |
| 80 | +- required application configuration, if any, |
| 81 | +- minimal reproduction steps, |
| 82 | +- expected behavior, |
| 83 | +- actual behavior, |
| 84 | +- demonstrated security impact, |
| 85 | +- whether authentication or special privileges are required, |
| 86 | +- proposed fix or mitigation, if known. |
| 87 | + |
| 88 | +Do not speculate beyond what can be demonstrated. If severity is uncertain, say so explicitly. |
| 89 | + |
| 90 | +## Report Quality Rules |
| 91 | + |
| 92 | +- One vulnerability per report. |
| 93 | +- Keep reproduction steps minimal and self-contained. |
| 94 | +- Do not include unrelated findings. |
| 95 | +- Do not publish exploit details publicly before the Struts project has triaged the issue. |
| 96 | +- Do not send ordinary bugs, usage questions, or generic denial-of-service concerns to the private security list. |
| 97 | +- If the issue is not a vulnerability in Apache Struts source code, direct the researcher to the appropriate public support or issue channel instead. |
0 commit comments