[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v1 1/1] security-process: update process information
From: |
Philippe Mathieu-Daudé |
Subject: |
Re: [PATCH v1 1/1] security-process: update process information |
Date: |
Wed, 2 Dec 2020 14:50:44 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0 |
Hi Prasad,
On 11/30/20 2:49 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
...
> +## How we respond:
> +
> +* Process of handling security issues can be divided in two halves.
> +
Maybe:
0) **Acknowledge reception**
- A non-automated response email is sent to acknowledge the
reception of the request.
This is the starting date for the maximum **60 days** required
to process the issue, including bullets 1) and 2).
> + 1) **Triage:**
> + - Examine the issue details and confirm whether the issue is genuine
> + - Validate if it can be misused for malicious purposes
> + - Determine its worst case impact and severity
> + [Low/Moderate/Important/Critical]
> +
> + 2) **Response:**
> + - Negotiate embargo timeline (if required, depending on severity)
> + - Request a CVE and open an upstream
> + [bug](https://bugs.launchpad.net/qemu/+bug/)
> + or a [GitLab](https://gitlab.com/groups/qemu-project/-/issues) issue
> + - Create an upstream fix patch
with the proper Buglink/CVE/Reported-by tags.
- Participate in the review process until the patch is merged.
Test the fix updates with the private reproducer if required.
- Close the upstream [bug] with 'Fix released', including the
commit SHA-1 of the fix.
> +
> +* Above security lists are operated by select analysts, maintainers and/or
> + representatives from downstream communities.
> +
> +* List members follow a **responsible disclosure** policy. Any non-public
> + information you share about security issues, is kept confidential within
> the
> + respective affiliated companies. Such information shall not be passed on to
> + any third parties, including Xen Security Project, without your prior
> + permission.
> +
> +* We aim to process security issues within maximum of **60 days**. That is
> not
> + to say that issues will remain private for 60 days, nope. After the
> triaging
> + step above
> + - If issue is found to be less severe, an upstream public bug (or an
> + issue) will be created immediately.
> + - If issue is found to be severe, an embargo process below is followed,
> + and public bug (or an issue) will be opened at the end of the set
> + embargo period.
> +
> + This will allow upstream contributors to create, test and track fix
> patch(es).
>
> Email sent to us is read and acknowledged with a non-automated response. For
> issues that are complicated and require significant attention, we will open
> an
^^^ You can remove that, as now covered by bullet 0).
Regards,
Phil.