[libvirt] [PATCH] Document security reporting & handling process

[Eric Blake]

On 06/04/2013 09:33 AM, Eric Blake wrote:
> On 06/04/2013 04:06 AM, Daniel P. Berrange wrote:
>> From: "Daniel P. Berrange" <berrange at redhat.com>
>>
>> Historically security issues in libvirt have been primarily
>> triaged & fixed by the Red Hat libvirt members & Red Hat
>> security team, who then usually notify other vendors via
>> appropriate channels. There have been a number of times
>> when vendors have not been properly notified ahead of
>> announcement. It has also disadvantaged community members
>> who have to backport fixes to releases for which there are
>> no current libvirt stable branches.
>>
>> To address this, we want to make the libvirt security process
>> entirely community focused / driven. To this end I have setup
>> a new email address "libvirt-security at redhat.com" for end
>> users to report bugs which have (possible) security implications.

>> Document how to report security bugs and the process that
>> will be used for addressing them.
>>
>> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
>> ---
>>  docs/bugs.html.in            |  12 +++++
>>  docs/contact.html.in         |  12 +++++
>>  docs/securityprocess.html.in | 113 +++++++++++++++++++++++++++++++++++++++++++
>>  docs/sitemap.html.in         |   4 ++
>>  4 files changed, 141 insertions(+)
>>  create mode 100644 docs/securityprocess.html.in

Did this ever get pushed?  It should go in before 1.1.0 is released,
particularly since we have already used this list to discuss
CVE-2013-2218 (more details on Monday when embargo ends).

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130628/3e57e6be/attachment-0001.sig>