Rules for Patches and Git Commits

Developers must write and commit one patch per unique vulnerability at a time. It is forbidden to commit patches addressing multiple vulnerabilities at once.

After preparing a patch, developers commit the patch to the repository using a commit string message with a specific format. The format below allows our platform to map patches to vulnerability reports when calculating fix-it points.

The commit string message format has three parts:

  1. The first part is the string patch followed by a white space;
  2. The second part is a comma-separated list of the issue IDs addressed by the patch followed by the character :. The issue IDs are those duplicated issues reporting the same unique vulnerability. If Team A and Team B open two issues, e.g., issue #6 and issue #9, then the second part is the string #6, #9:. If the patch addresses a vulnerability reported by only one team, say issue #13, then the second part of the string is #13:;
  3. The third part is a text string of developers’ choice.

For example, if issues #6 and #9 report the same cross-site scripting vulnerability in a parameter X, the commit message is patch #6, #9: cross-site scripting in parameter X. Developers could use the string as follows:

$ git commit -m "patch #6, #9: cross-site scripting in parameter X"