[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v1 1/1] security-process: update process information
From: |
P J P |
Subject: |
[PATCH v1 1/1] security-process: update process information |
Date: |
Mon, 30 Nov 2020 19:19:07 +0530 |
From: Prasad J Pandit <pjp@fedoraproject.org>
We are about to introduce a qemu-security mailing list to report
and triage QEMU security issues.
Update the QEMU security process web page with new mailing list
and triage details.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
contribute/security-process.md | 134 ++++++++++++++++++++-------------
1 file changed, 80 insertions(+), 54 deletions(-)
Update v1: incorporate feedback from review to include more details
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg06234.html
diff --git a/contribute/security-process.md b/contribute/security-process.md
index 1239967..fe1bc8b 100644
--- a/contribute/security-process.md
+++ b/contribute/security-process.md
@@ -3,43 +3,70 @@ title: Security Process
permalink: /contribute/security-process/
---
-QEMU takes security very seriously, and we aim to take immediate action to
-address serious security-related problems that involve our product.
-
-Please report any suspected security vulnerability in QEMU to the following
-addresses. You can use GPG keys for respective receipients to communicate with
-us securely. If you do, please upload your GPG public key or supply it to us
-in some other way, so that we can communicate to you in a secure way, too!
-Please include the tag **\[QEMU-SECURITY\]** on the subject line to help us
-identify your message as security-related.
-
-## QEMU Security Contact List
-
-Please copy everyone on this list:
-
- Contact Person(s) | Contact Address | Company | GPG
Key | GPG key fingerprint
-:-----------------------|:------------------------------|:--------------|:---------:|:--------------------
- Michael S. Tsirkin | mst@redhat.com | Red Hat Inc. |
[🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xC3503912AFBE8E67)
| 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67
- Petr Matousek | pmatouse@redhat.com | Red Hat Inc. |
[🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3E786F42C44977CA)
| 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA
- Stefano Stabellini | sstabellini@kernel.org | Independent |
[🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x894F8F4870E1AE90)
| D04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90
- Security Response Team | secalert@redhat.com | Red Hat Inc. |
[🔑](https://access.redhat.com/site/security/team/contact/#contact) |
- Michael Roth | michael.roth@amd.com | AMD |
[🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584)
| CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584
- Prasad J Pandit | pjp@redhat.com | Red Hat Inc. |
[🔑](http://pool.sks-keyservers.net/pks/lookup?op=vindex&search=0xE2858B5AF050DE8D)
| 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
-
-## How to Contact Us Securely
-
-We use GNU Privacy Guard (GnuPG or GPG) keys to secure communications. Mail
-sent to members of the list can be encrypted with public keys of all members
-of the list. We expect to change some of the keys we use from time to time.
-Should a key change, the previous one will be revoked.
-
-## How we respond
-
-Maintainers listed on the security reporting list operate a policy of
-responsible disclosure. As such they agree that any information you share with
-them about security issues that are not public knowledge is kept confidential
-within respective affiliated companies. It is not passed on to any third-party,
-including Xen Security Project, without your permission.
+Please report any suspected security issue in QEMU to the security mailing
+list at:
+
+*
[\<qemu-security@nongnu.org\>](https://lists.gnu.org/archive/html/qemu-security/)
+
+To report an issue via [GPG](https://gnupg.org/) encrypted email, please send
+it to the Red Hat Product Security team at:
+
+*
[\<secalert@redhat.com\>](https://access.redhat.com/security/team/contact/#contact)
+
+**Note:** after the triage, encrypted issue details shall be sent to the
upstream
+'qemu-security' mailing list for archival purposes.
+
+## How to report an issue:
+
+* Please include as many details as possible in the issue report.
+ Ex:
+ - QEMU version, upstream commit/tag
+ - Host & Guest architecture x86/Arm/PPC, 32/64 bit etc.
+ - Affected code area/snippets
+ - Stack traces, crash details
+ - Malicious inputs/reproducer steps etc.
+ - Any configurations/settings required to trigger the issue.
+
+* Please share the QEMU command line used to invoke a guest VM.
+
+* Please specify whom to acknowledge for reporting this issue.
+
+## How we respond:
+
+* Process of handling security issues can be divided in two halves.
+
+ 1) **Triage:**
+ - Examine the issue details and confirm whether the issue is genuine
+ - Validate if it can be misused for malicious purposes
+ - Determine its worst case impact and severity
+ [Low/Moderate/Important/Critical]
+
+ 2) **Response:**
+ - Negotiate embargo timeline (if required, depending on severity)
+ - Request a CVE and open an upstream
+ [bug](https://bugs.launchpad.net/qemu/+bug/)
+ or a [GitLab](https://gitlab.com/groups/qemu-project/-/issues) issue
+ - Create an upstream fix patch
+
+* Above security lists are operated by select analysts, maintainers and/or
+ representatives from downstream communities.
+
+* List members follow a **responsible disclosure** policy. Any non-public
+ information you share about security issues, is kept confidential within the
+ respective affiliated companies. Such information shall not be passed on to
+ any third parties, including Xen Security Project, without your prior
+ permission.
+
+* We aim to process security issues within maximum of **60 days**. That is not
+ to say that issues will remain private for 60 days, nope. After the triaging
+ step above
+ - If issue is found to be less severe, an upstream public bug (or an
+ issue) will be created immediately.
+ - If issue is found to be severe, an embargo process below is followed,
+ and public bug (or an issue) will be opened at the end of the set
+ embargo period.
+
+ This will allow upstream contributors to create, test and track fix
patch(es).
Email sent to us is read and acknowledged with a non-automated response. For
issues that are complicated and require significant attention, we will open an
@@ -48,27 +75,31 @@ of the following steps:
### Publication embargo
-If a security issue is reported that is not already publicly disclosed, an
-embargo date may be assigned and communicated to the reporter. Embargo
-periods will be negotiated by mutual agreement between members of the security
-team and other relevant parties to the problem. Members of the security contact
-list agree not to publicly disclose any details of the security issue until
-the embargo date expires.
+* If a security issue is reported that is not already public and is severe
+ enough, an embargo date may be assigned and communicated to the
+ reporter(s).
+
+* Embargo periods will be negotiated by mutual agreement between reporter(s),
+ members of the security list and other relevant parties to the problem.
+ Such embargo period is generally upto [2
weeks](https://oss-security.openwall.org/wiki/mailing-lists/distros).
+
+* Members of the security list agree not to publicly disclose any details of
+ an embargoed security issue until its embargo date expires.
### CVE allocation
-An security issue is assigned with a CVE number. The CVE numbers will usually
-be allocated by one of the vendor security engineers on the security contact
-list.
+Each security issue is assigned a [CVE](https://cveform.mitre.org/) number.
+The CVE number is allocated by one of the vendor security engineers on the
+security list.
-## When to contact the QEMU Security Contact List
+## When to contact the QEMU Security List
-You should contact the Security Contact List if:
+You should contact the Security List if:
* You think there may be a security vulnerability in QEMU.
* You are unsure about how a known vulnerability affects QEMU.
* You can contact us in English. We are unable to respond in other languages.
-## When *not* to contact the QEMU Security Contact List
+## When *not* to contact the QEMU Security List
* You need assistance in a language other than English.
* You require technical assistance (for example, "how do I configure QEMU?").
* You need help upgrading QEMU due to security alerts.
@@ -122,8 +153,3 @@ used to write programs for the SoC device. In such
developer environments, it
is generally assumed that the guest is trusted.
And thus, this buffer overflow turned out to be a security non-issue.
-
-## What to Send to the QEMU Security Contact List
-
-Please provide as much information about your system and the issue as possible
-when contacting the list.
--
2.28.0