branch master updated: doc: Add document on security advisories.

[Ludovic Court�s]

This is an automated email from the git hooks/post-receive script.

civodul pushed a commit to branch master
in repository maintenance.

The following commit(s) were added to refs/heads/master by this push:
     new 1bc3495  doc: Add document on security advisories.
1bc3495 is described below

commit 1bc34954ec4217a28f1ad6445a149f52b4f7f3a0
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Wed Feb 10 12:45:54 2021 +0100

    doc: Add document on security advisories.
    
    * doc/security-advisories.org: New file.
---
 doc/security-advisories.org | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/doc/security-advisories.org b/doc/security-advisories.org
new file mode 100644
index 0000000..ef560c8
--- /dev/null
+++ b/doc/security-advisories.org
@@ -0,0 +1,37 @@
+#+TITLE: Addressing and announcing security issues
+
+This document describes the process to follow when reporting security
+issues in Guix.
+
+* Identify the problem and estimate its impact
+
+  This discussion usually happens on the private guix-security@gnu.org
+  list.
+
+* Work on a fix or workaround
+
+  This may happen on guix-security, or it could be tracked in the bug
+  tracker.
+
+  In general, bringing issues to public scrutiny can help raise
+  awareness and find better solutions.
+
+* Publicize bug and patch at bug-guix@gnu.org
+
+  That gives a bug number that can be used to track progress.
+
+* Commit bug fix followed by a =etc/news.scm= entry
+
+  Report the commit ID in the bug tracker.
+
+* Announce the issue
+
+** blog post with the “Security Advisory” tag
+
+** message to info-guix@gnu.org
+
+** oss-security list (?)
+
+* Assign a CVE number via https://cveform.mitre.org/ (?)
+
+  See also https://cve.mitre.org/cve/request_id.html.