[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Document security reporting & handling process

On 06/04/2013 09:33 AM, Eric Blake wrote:
> On 06/04/2013 04:06 AM, Daniel P. Berrange wrote:
>> From: "Daniel P. Berrange" <berrange redhat com>
>> Historically security issues in libvirt have been primarily
>> triaged & fixed by the Red Hat libvirt members & Red Hat
>> security team, who then usually notify other vendors via
>> appropriate channels. There have been a number of times
>> when vendors have not been properly notified ahead of
>> announcement. It has also disadvantaged community members
>> who have to backport fixes to releases for which there are
>> no current libvirt stable branches.
>> To address this, we want to make the libvirt security process
>> entirely community focused / driven. To this end I have setup
>> a new email address "libvirt-security redhat com" for end
>> users to report bugs which have (possible) security implications.

>> Document how to report security bugs and the process that
>> will be used for addressing them.
>> Signed-off-by: Daniel P. Berrange <berrange redhat com>
>> ---
>>  docs/bugs.html.in            |  12 +++++
>>  docs/contact.html.in         |  12 +++++
>>  docs/securityprocess.html.in | 113 +++++++++++++++++++++++++++++++++++++++++++
>>  docs/sitemap.html.in         |   4 ++
>>  4 files changed, 141 insertions(+)
>>  create mode 100644 docs/securityprocess.html.in

Did this ever get pushed?  It should go in before 1.1.0 is released,
particularly since we have already used this list to discuss
CVE-2013-2218 (more details on Monday when embargo ends).

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]