[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v1 1/1] security-process: update process information
From: |
P J P |
Subject: |
Re: [PATCH v1 1/1] security-process: update process information |
Date: |
Wed, 2 Dec 2020 17:49:04 +0530 (IST) |
Hello Konrad, all
+-- On Tue, 1 Dec 2020, Konrad Rzeszutek Wilk wrote --+
| On Mon, Nov 30, 2020 at 07:19:07PM +0530, P J P wrote:
| > We are about to introduce a qemu-security mailing list to report
| > and triage QEMU security issues.
| > Update the QEMU security process web page with new mailing list
| > and triage details.
|
| Thank you for doing it!
| Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Thank you.
| with one change below.
|
| > + - Request a CVE and open an upstream
| > + [bug](https://bugs.launchpad.net/qemu/+bug/)
| > + or a [GitLab](https://gitlab.com/groups/qemu-project/-/issues) issue
|
| You may want to clarify that this step in the process will not disclose the
| details of the issue to the public.
Yes, this is covered in the following process text and under publication
embargo section:
===
+ * We aim to process ... 60 days ... After the triaging step above
+
+ - If issue is found to be less severe, an upstream public bug (or an
+ issue) will be created immediately.
+ - If issue is found to be severe, an embargo process below is followed,
+ and public bug (or an issue) will be opened at the end of the set
+ embargo period.
...
+* Embargo periods will be negotiated by mutual agreement between reporter(s),
+ members of the security list and other relevant parties to the problem.
+ Such embargo period is generally upto [2 weeks]
+
+* Members of the security list agree not to publicly disclose any details of
+ an embargoed security issue until its embargo date expires.
===
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D