qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1 1/1] security-process: update process information

From: P J P
Subject: Re: [PATCH v1 1/1] security-process: update process information
Date: Thu, 3 Dec 2020 10:52:29 +0530 (IST) 
  Hello Dan,

+-- On Wed, 2 Dec 2020, Daniel P. Berrangé wrote --+
| > +    - If issue is found to be less severe, an upstream public bug (or an
| > +      issue) will be created immediately.
| 
| No need to repeat "or an issue". I think it would read more clearly as
| 
|    - If the severity of the issue is sufficiently low, an upstream public bug
|      may be created immediately.

  Okay.
    
| > +    - If issue is found to be severe, an embargo process below is followed,
| > +      and public bug (or an issue) will be opened at the end of the set
| > +      embargo period.
| 
|    - If the severity of the issue requires co-ordinated disclosure at a future
|      date, then the embargo process below is followed, and public bug will be
|      opened at the end of the set embargo period.

  Okay.
  
| Somewhere around here is probably a good place to link to:
| 
|   https://www.qemu.org/docs/master/system/security.html
| 
| which describes why we'll consider some things to be not security issues

  Towards the end, there's a section about 'How impact & severity of an issue 
is decided', above link will fit in there good I think.

 
| > -If a security issue is reported that is not already publicly disclosed, an
| > -embargo date may be assigned and communicated to the reporter. Embargo
| > -periods will be negotiated by mutual agreement between members of the 
security
| > -team and other relevant parties to the problem. Members of the security 
contact
| > -list agree not to publicly disclose any details of the security issue until
| > -the embargo date expires.
| > +* If a security issue is reported that is not already public and is severe
| > +  enough, an embargo date may be assigned and communicated to the
| > +  reporter(s).
| 
| 
|   * If a security issue is reported that is not already public and its
|     severity requires coordinated disclosure, an embargo date may be
|     assigned and communicated to the reporter(s).
...
|   "The preferred embargo period will be upto 2 weeks, however, longer
|    embargoes can be negotiated if the severity of the issues requires it."

Okay, will add above changes.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
reply via email to
[Prev in Thread] Current Thread [Next in Thread]