This is based on Paolo's suggestion[1] that the 'security-process'[2]
page being a candidate for docs/devel.
Converted from Markdown to rST using:
$> pandoc -f markdown -t rst security-process.md \
-o security-process.rst
It's a 1-1 conversion (I double-checked to the best I could). I've also
checked that the hyperlinks work correctly post-conversion.
[1] https://lists.nongnu.org/archive/html/qemu-devel/2021-11/msg04002.html
[2] https://www.qemu.org/contribute/security-process
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
docs/devel/index.rst | 1 +
docs/devel/security-process.rst | 190 ++++++++++++++++++++++++++++++++
2 files changed, 191 insertions(+)
create mode 100644 docs/devel/security-process.rst
diff --git a/docs/devel/index.rst b/docs/devel/index.rst
index afd937535e..424eff9294 100644
--- a/docs/devel/index.rst
+++ b/docs/devel/index.rst
@@ -48,3 +48,4 @@ modifying QEMU's source code.
trivial-patches
submitting-a-patch
submitting-a-pull-request
+ security-process
diff --git a/docs/devel/security-process.rst b/docs/devel/security-process.rst
new file mode 100644
index 0000000000..cc1000fe43
--- /dev/null
+++ b/docs/devel/security-process.rst
@@ -0,0 +1,190 @@
+.. _security-process:
+
+Security Process
+================
+
+Please report any suspected security issue in QEMU to the security
+mailing list at:
+
+- `<qemu-security@nongnu.org>
<https://lists.nongnu.org/mailman/listinfo/qemu-security>`__
+
+To report an issue via `GPG <https://gnupg.org/>`__ encrypted email,
+please send it to the Red Hat Product Security team at:
+
+- `<secalert@redhat.com>
<https://access.redhat.com/security/team/contact/#contact>`__
+
+**Note:** after the triage, encrypted issue details shall be sent to the
+upstream ‘qemu-security’ mailing list for archival purposes.
+
+How to report an issue
+----------------------
+
+- Please include as many details as possible in the issue report. Ex:
+
+ - QEMU version, upstream commit/tag
+ - Host & Guest architecture x86/Arm/PPC, 32/64 bit etc.
+ - Affected code area/snippets
+ - Stack traces, crash details
+ - Malicious inputs/reproducer steps etc.
+ - Any configurations/settings required to trigger the issue.
+
+- Please share the QEMU command line used to invoke a guest VM.
+
+- Please specify whom to acknowledge for reporting this issue.
+
+How we respond
+~~~~~~~~~~~~~~
+
+- Process of handling security issues comprises following steps:
+
+ 0) **Acknowledge:**
+
+ - A non-automated response email is sent to the reporter(s) to
+ acknowledge the reception of the report. (*60 day’s counter starts
+ here*)
+
+ 1) **Triage:**
+
+ - Examine the issue details and confirm whether the issue is genuine
+ - Validate if it can be misused for malicious purposes
+ - Determine its worst case impact and severity
+ [Low/Moderate/Important/Critical]
+
+ 2) **Response:**
+
+ - Negotiate embargo timeline (if required, depending on severity)
+ - Request a `CVE <https://cveform.mitre.org/>`__ and open an
+ upstream `bug <https://www.qemu.org/contribute/report-a-bug/>`__
+ - Create an upstream fix patch annotated with
+
+ - CVE-ID
+ - Link to an upstream bugzilla
+ - Reported-by, Tested-by etc. tags
+
+ - Once the patch is merged, close the upstream bug with a link to
+ the commit
+
+ - Fixed in: