Second Life JIRA Tutorial: Security Exploits and TPV Violations

This is the third part of a tutorial outlining how to use the Second Life JIRA. This section covers:

  • Filing security exploit reports
  • Reporting Third Party Viewer violations.

Note that the JIRA system can also be used to file requests for third-party viewers to be added to the Third Party Viewer Directory, however, this falls outside the scope of this tutorial.

Table of Contents

Security Exploits (SEC) Overview

If an issue poses any of the following threats to Second Life, its Residents or content, then it is an exploit and should be reported:

  • Exposes real life Resident identity without consent.
  • Destroys content.
  • Permits unauthorized access to Second Life/Linden Lab resources.
  • Compromises a client or server host subjecting it to remote control.

There are two ways to file security exploits:

  • Via a Second Life Security Exploit JIRA, as described below. This is the preferred method of raising such issues.
  • Via email to security-at-lindenlab.com.

Note that by their very nature, SEC JIRA reports are not available for public viewing.

When reporting a SEC issue, please provide as much detail as possible, Including the environment used (e.g. operating system, hardware, CPU, GPU, location in SL where first encountered, etc.), together with a clear and complete set of instructions on how to reproduce the issue. SEC issues should preferably be reported as soon as discovered / reproduced.

SEC Bounties

Linden Lab offer a L$10,000 (approx US $40) bounty for each previously unknown exploit that can be verified. Such bunties are generally awarded after the reporter helps confirm that an issue has been fixed, and are contingent on not disclosing the issue prior to Linden Lab publishing a fix.

Filing A Security Exploit Report (SEC)

Note: The SEC project (and security mailing list) is only for reporting security exploits that might compromise a Residents identity or the Second Life Grid. All other requests including account issues and account security will not be addressed – these should be reported directly to the Second Life support team.

  1. Log-in to the Second Life JIRA using your Second Life log-in credentials.
  2. Click on +Create Issue (top right).
  3. The Bug Report form will be displayed.
  4. Click on the Project drop down, and select Second Life Security Exploits (SEC).
Use the JIRA Issue Type drop-down to select and display the Security Exploits (SEC) Form
  1. The SEC form comprises two tabbed sections: BASIC and ADVANCED. Raising a SEC report primarily involves completing the BASIC tab, which is open by default on selecting the SEC form type:
    • Summary: provide a concise summary of the issue – and remember that this will form the title of the bug report.
    • Environment: use this section to provide information on the environment – viewer and simulator – in which you encountered the problem. This information can be obtained directly from the viewer.
      • Make sure you are in the region where you observed the exploit to ensure all environment information is accurate.
      • In the viewer, go to Help > About Second Life. This opens a floater with the Info tab selected. At the bottom of this panel is a Button: Copy to Clipboard. Click on this to copy the information displayed in the panel.
      • This information includes: the version of the viewer you are using; your location in Second Life at the time the information was copied; the simulator version for the region you are on (hence the importance of being in the region where the problem occurred); core information about your computer: operating system / version; CPU, RAM, GPU and graphics driver, etc.
      • Paste this information into the Environment field in the SEC report.
    • Description: provide a clear description of the issue, including step-by-step instructions to reproduce (where applicable).  Include information on notable events, outcomes, etc, specific to the exploit (e.g. obtaining user information or the resultant compromise to the SL grid, etc. Note this section will expand as you add text.
    • Attachment: optionally use this to attach annotated images (referenced in the Description field) which might help illustrate the issue / exploit.
    • Note that Summary, Environment and Description must be filled-out.
The BASIC information tab of the SEC form
  1. In the ADVANCED tab, use the Priority drop down to set an initial priority for the issue. Note this may be revised by Linden Lab following triage and initial investigation.
  2. Review the information you’ve supplied in the form and when satisfied it is correct and complete, click the Create button at the bottom right of the form to submit your report.

What Happens Next

The report will be triaged by the Lab. Accepted reports will be tracked internally, and the Advanced tab updated with relevant progress / feedback. Issues with significant or widespread impact will often be fixed in short order, otherwise, Lindens attempt to bundle low impact security fixes when they do update or maintenance work on related code.

Third Party Viewer Violations

The JIRA includes two third-party viewer (TPV) options:

  • Violation Report – for reporting TPVs believed to be in violation of the Second Life Terms of Service and / or the Policy on Third Party Viewers.
  • Application – submitting a request for including a viewer in the Third Party Viewer directory.
    • Submission can only be made by a person directly responsible for a viewer.
    • Submitting this application form is an acknowledgement of this, and that the submitter and the viewer are complying with the Policy on Third Party Viewers.
    • This form is specific to TPV developers, and so is not expanded upon here.

What is a TPV Violation?

Again, please note this form is only for reporting violations of the Second Life Terms of Service and / or the Policy on Third Party Viewers. Do not use this to report bugs in third-party viewers, including reporting that you may have detected a virus or other malware in the viewer. Bugs related to TPVs should be reported directly to the viewer developer through whatever means they have provided, not via this form or via the official Second Life JIRA .

As with SECURITY reports, TPV reports are confidential. Only a limited set of users are able to see violations or applications in progress.

Filing a Violation Report

  1. Log-in to the Second Life JIRA using your Second Life log-in credentials.
  2. Click on +Create Issue (top right).
  3. The Bug Report form will be displayed.
  4. Click on the Project drop down, and select Third Party Viewers.
Accessing the third party viewer options
  1. The Violation Report is selected by default. This comprises two tabs: the FIELD TAB and the ATTACHMENT tab. Both can be used when raising a report.
  2. FIELD tab:
    • Summary (required field): provide a summary of the violation.
    • Component/s: enter the name of the violating viewer(s) – or select the name from the drop-down list.
    • Priority: select the priority of the report from the drop-down, or leave as Unset if unsure.
    • Version: enter the version number of the violating viewer, if known.
    • Description (required field): provide a clear description of the violation or step-by-step instructions on how the violation can be caused.
    • Which TPV or ToS rule is broken?: If you can identify it in either the Second Life Policy on Third Party Viewers or the Second Life Terms of Service rule that has been broken, please list it.
  3. ATTACHMENT tab:
    • Use this tab to upload images demonstrating the violation – please make sure they are clearly annotated and referenced in your description.
  4. When you have confirmed the information is correct and as clear as possible, and any images / files are attached, click the Create button at the bottom right of the form to submit your violation report.

What Happens Next

The violation report will be reviewed, and depending on the nature of the violation, the third-party viewer may be removed from the Third Party Viewer Directory. If the violation is found to be related to the Second Life Terms of Service, additional actions may be taken by Linden Lab, depending on the nature of the infringement.

Advertisements