qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1 1/1] security-process: update process information

From: Philippe Mathieu-Daudé
Subject: Re: [PATCH v1 1/1] security-process: update process information
Date: Wed, 2 Dec 2020 14:50:44 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0 
Hi Prasad,

On 11/30/20 2:49 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
...
> +## How we respond:
> +
> +* Process of handling security issues can be divided in two halves.
> +

Maybe:

     0) **Acknowledge reception**
       - A non-automated response email is sent to acknowledge the
         reception of the request.
         This is the starting date for the maximum **60 days** required
         to process the issue, including bullets 1) and 2).

> +  1) **Triage:**
> +    - Examine the issue details and confirm whether the issue is genuine
> +    - Validate if it can be misused for malicious purposes
> +    - Determine its worst case impact and severity
> +      [Low/Moderate/Important/Critical]
> +
> +  2) **Response:**
> +    - Negotiate embargo timeline (if required, depending on severity)
> +    - Request a CVE and open an upstream
> +      [bug](https://bugs.launchpad.net/qemu/+bug/)
> +      or a [GitLab](https://gitlab.com/groups/qemu-project/-/issues) issue
> +    - Create an upstream fix patch

         with the proper Buglink/CVE/Reported-by tags.

       - Participate in the review process until the patch is merged.
         Test the fix updates with the private reproducer if required.
       - Close the upstream [bug] with 'Fix released', including the
         commit SHA-1 of the fix.

> +
> +* Above security lists are operated by select analysts, maintainers and/or
> +  representatives from downstream communities.
> +
> +* List members follow a **responsible disclosure** policy. Any non-public
> +  information you share about security issues, is kept confidential within 
> the
> +  respective affiliated companies. Such information shall not be passed on to
> +  any third parties, including Xen Security Project, without your prior
> +  permission.
> +
> +* We aim to process security issues within maximum of **60 days**. That is 
> not
> +  to say that issues will remain private for 60 days, nope. After the 
> triaging
> +  step above
> +    - If issue is found to be less severe, an upstream public bug (or an
> +      issue) will be created immediately.
> +    - If issue is found to be severe, an embargo process below is followed,
> +      and public bug (or an issue) will be opened at the end of the set
> +      embargo period.
> +
> +  This will allow upstream contributors to create, test and track fix 
> patch(es).
>  
>  Email sent to us is read and acknowledged with a non-automated response. For
>  issues that are complicated and require significant attention, we will open 
> an

   ^^^ You can remove that, as now covered by bullet 0).

Regards,

Phil.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]