From: Darren Kenny <darren.kenny@oracle.com>
To: P J P <ppandit@redhat.com>, Stefan Hajnoczi <stefanha@gmail.com>
Cc: peter.maydell@linaro.org,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Petr Matousek" <pmatouse@redhat.com>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
secalert@redhat.com, "Michael Roth" <michael.roth@amd.com>,
"Michael S . Tsirkin" <mst@redhat.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Daniel P . Berrangé" <berrange@redhat.com>
Subject: Re: [RFC 1/1] security-process: update process information
Date: Tue, 24 Nov 2020 16:23:32 +0000 [thread overview]
Message-ID: <m2r1oi9117.fsf@oracle.com> (raw)
In-Reply-To: <20201124142238.225417-2-ppandit@redhat.com>
Hi Prasad,
Thanks for writing this up.
I have some comments below on the response steps.
On Tuesday, 2020-11-24 at 19:52:38 +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> We are about to introduce a qemu-security mailing list to report
> and triage QEMU security issues.
>
> Update the QEMU security process web page with new mailing list
> and triage details.
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> contribute/security-process.md | 105 +++++++++++++++++----------------
> 1 file changed, 55 insertions(+), 50 deletions(-)
>
> diff --git a/contribute/security-process.md b/contribute/security-process.md
> index 1239967..a03092c 100644
> --- a/contribute/security-process.md
> +++ b/contribute/security-process.md
...
> +## How we respond:
> +
> +* Steps to triage:
> + - Examine and validate the issue details to confirm whether the
> + issue is genuine and can be misused for malicious purposes.
> + - Determine its worst case impact and severity(Low/M/I/Critical)
> + - Negotiate embargo timeline (if required)
> + - Request a CVE and open an upstream bug
> + - Create an upstream fix patch
> +
> +* Above security lists are operated by select analysts, maintainers and/or
> + representatives from downstream communities.
> +
> +* List members follow a **responsible disclosure** policy. Any non-public
> + information you share about security issues, is kept confidential within the
> + respective affiliated companies. Such information shall not be passed on to
> + any third parties, including Xen Security Project, without your prior
> + permission.
> +
> +* We aim to triage security issues within maximum of 60 days.
I always understood triage to be the initial steps in assessing a bug:
- determining if it is a security bug, in this case
- then deciding on the severity of it
I would not expect triage to include seeing it through to the point
where there is a fix as in the steps above and as such that definition
of triage should probably have a shorter time frame.
At this point, if it is not a security bug, then it should just be
logged as any other bug in Qemu, which goes on to qemu-devel then.
But, if it is a security bug - then that is when the next steps would be
taken, to (not necessarily in this order):
- negotiate an embargo (should the predefined 60 days be insufficient)
- don't know if you need to mention that this would include downstream
in this too, since they will be the ones most likely to need the
time to distribute a fix
- request a CVE
- create a fix for upstream
- distros can work on bringing that back into downstream as needed,
within the embargo period
I do feel that it is worth separating the 2 phases of triage and beyond,
but of course that is only my thoughts on it, I'm sure others will have
theirs.
Thanks,
Darren.
next prev parent reply other threads:[~2020-11-24 16:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-24 14:22 [RFC 0/1] security-process: update with mailing list details P J P
2020-11-24 14:22 ` [RFC 1/1] security-process: update process information P J P
2020-11-24 16:23 ` Darren Kenny [this message]
2020-11-25 12:48 ` P J P
2020-11-25 14:44 ` Darren Kenny
-- strict thread matches above, loose matches on Subject: below --
2020-11-24 16:26 Red Hat Product Security
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2r1oi9117.fsf@oracle.com \
--to=darren.kenny@oracle.com \
--cc=berrange@redhat.com \
--cc=konrad.wilk@oracle.com \
--cc=michael.roth@amd.com \
--cc=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pjp@fedoraproject.org \
--cc=pmatouse@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=secalert@redhat.com \
--cc=sstabellini@kernel.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).