From: Darren Kenny <darren.kenny@oracle.com>
To: P J P <ppandit@redhat.com>, Stefan Hajnoczi <stefanha@gmail.com>
Cc: peter.maydell@linaro.org,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Petr Matousek" <pmatouse@redhat.com>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
secalert@redhat.com, "Michael Roth" <michael.roth@amd.com>,
"Michael S . Tsirkin" <mst@redhat.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Daniel P . Berrangé" <berrange@redhat.com>
Subject: Re: [RFC 1/1] security-process: update process information
Date: Tue, 24 Nov 2020 16:23:32 +0000 [thread overview]
Message-ID: <m2r1oi9117.fsf@oracle.com> (raw)
In-Reply-To: <20201124142238.225417-2-ppandit@redhat.com>
Hi Prasad,
Thanks for writing this up.
I have some comments below on the response steps.
On Tuesday, 2020-11-24 at 19:52:38 +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> We are about to introduce a qemu-security mailing list to report
> and triage QEMU security issues.
>
> Update the QEMU security process web page with new mailing list
> and triage details.
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> contribute/security-process.md | 105 +++++++++++++++++----------------
> 1 file changed, 55 insertions(+), 50 deletions(-)
>
> diff --git a/contribute/security-process.md b/contribute/security-process.md
> index 1239967..a03092c 100644
> --- a/contribute/security-process.md
> +++ b/contribute/security-process.md
...
> +## How we respond:
> +
> +* Steps to triage:
> + - Examine and validate the issue details to confirm whether the
> + issue is genuine and can be misused for malicious purposes.
> + - Determine its worst case impact and severity(Low/M/I/Critical)
> + - Negotiate embargo timeline (if required)
> + - Request a CVE and open an upstream bug
> + - Create an upstream fix patch
> +
> +* Above security lists are operated by select analysts, maintainers and/or
> + representatives from downstream communities.
> +
> +* List members follow a **responsible disclosure** policy. Any non-public
> + information you share about security issues, is kept confidential within the
> + respective affiliated companies. Such information shall not be passed on to
> + any third parties, including Xen Security Project, without your prior
> + permission.
> +
> +* We aim to triage security issues within maximum of 60 days.
I always understood triage to be the initial steps in assessing a bug:
- determining if it is a security bug, in this case
- then deciding on the severity of it
I would not expect triage to include seeing it through to the point
where there is a fix as in the steps above and as such that definition
of triage should probably have a shorter time frame.
At this point, if it is not a security bug, then it should just be
logged as any other bug in Qemu, which goes on to qemu-devel then.
But, if it is a security bug - then that is when the next steps would be
taken, to (not necessarily in this order):
- negotiate an embargo (should the predefined 60 days be insufficient)
- don't know if you need to mention that this would include downstream
in this too, since they will be the ones most likely to need the
time to distribute a fix
- request a CVE
- create a fix for upstream
- distros can work on bringing that back into downstream as needed,
within the embargo period
I do feel that it is worth separating the 2 phases of triage and beyond,
but of course that is only my thoughts on it, I'm sure others will have
theirs.
Thanks,
Darren.
next prev parent reply other threads:[~2020-11-24 16:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-24 14:22 [RFC 0/1] security-process: update with mailing list details P J P
2020-11-24 14:22 ` [RFC 1/1] security-process: update process information P J P
2020-11-24 16:23 ` Darren Kenny [this message]
2020-11-25 12:48 ` P J P
2020-11-25 14:44 ` Darren Kenny
-- strict thread matches above, loose matches on Subject: below --
2020-11-24 16:26 Red Hat Product Security
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2r1oi9117.fsf@oracle.com \
--to=darren.kenny@oracle.com \
--cc=berrange@redhat.com \
--cc=konrad.wilk@oracle.com \
--cc=michael.roth@amd.com \
--cc=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pjp@fedoraproject.org \
--cc=pmatouse@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=secalert@redhat.com \
--cc=sstabellini@kernel.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.