Author: jlk
Date: Mon Jun 3 22:16:45 2013
New Revision: 1489205
URL: http://svn.apache.org/r1489205
Log:
Correcting markdown bullet list, tweaked intro text
Modified:
cloudstack/site/trunk/content/security.mdtext
Modified: cloudstack/site/trunk/content/security.mdtext
URL:
http://svn.apache.org/viewvc/cloudstack/site/trunk/content/security.mdtext?rev=1489205&r1=1489204&r2=1489205&view=diff
==============================================================================
--- cloudstack/site/trunk/content/security.mdtext (original)
+++ cloudstack/site/trunk/content/security.mdtext Mon Jun 3 22:16:45 2013
@@ -2,7 +2,7 @@ Title: Apache CloudStack: Security
## Apache CloudStack Security
-The Apache CloudStack project understands that as a core infrastructure
project, the application security of Apache CloudStack is of critical
importance.
+The Apache CloudStack project understands that as a core infrastructure
project, the application security of Apache CloudStack is of critical
importance to the community and users.
### Apache CloudStack Security Team
@@ -22,28 +22,34 @@ The security team asks that you **please
### Procedure for Responding to Potential Security Issues
-* Upon receiving notice of a potential security issue, a security team member
will create a bug to track the investigation, this bug must be flagged as a
security issue. Security flag should mean contents of ticket are not visible to
non-security team members
-* Security team investigates the issue to confirm/deny the presence of a
vulnerability within CloudStack
-* If the issue is determined not to be a vulnerability the reporter will be
notified and the issue will be closed as invalid.
-* If issue is confirmed as a CloudStack vulnerability:
-** Security team notifies the Apache Security team
-** Security team assigns a risk rating to the vulnerability using the Common
Vulnerability Scoring System
-** Security team works with reporter to get a chance to investigate and
mitigate the issue in a timely manner before public announcement. This should
be between 15-30 days, depending on the severity and complexity of the issue
-** Security team works with Apache Security Team to reserve a CVE Identifier
for future public release
-** Security team works with appropriate code maintainer(s) to create patch to
mitigate the issue
-** Testing is conducted to verify patch mitigates issue and does not cause
regression errors
-** Security team creates a vulnerability announcement
-** Patch is committed to trunk and other supported branches that are affected.
The commit should not refer to a particular vulnerability.
-** A new CloudStack release or hotfix is prepared and tested, containing the
new security patch.
-** Distributor coordination is implemented to enable a coordinated
announcement.
-** Security team posts vulnerability announcement to...
-*** CloudStack dev list
-*** CloudStack users list
-*** CloudStack Security alerts web page
-*** The Bugtraq mailing list
-** After announcement, CHANGES and NEWS files need to be updated to reflect
the vulnerability and fix. This must happen AFTER the announcement.
-** Also after announcement, modify the Jira ticket so that the issue is now
publicly viewable.
-* After the vulnerability is addressed, the CloudStack community should review
development processes to see how the community can minimize the chance of
similar vulnerabilities being introduced in the future.
+<ul>
+ <li> Upon receiving notice of a potential security issue, a security team
member will create a bug to track the investigation, this bug must be flagged
as a security issue. Security flag should mean contents of ticket are not
visible to non-security team members
+ <li> Security team investigates the issue to confirm/deny the presence of a
vulnerability within CloudStack
+ <li> If the issue is determined not to be a vulnerability the reporter will
be notified and the issue will be closed as invalid.
+ <li> If issue is confirmed as a CloudStack vulnerability:
+ <ul>
+ <li> Security team notifies the Apache Security team
+ <li> Security team assigns a risk rating to the vulnerability using the
Common Vulnerability Scoring System
+ <li> Security team works with reporter to get a chance to investigate and
mitigate the issue in a timely manner before public announcement. This should
be between 15-30 days, depending on the severity and complexity of the issue
+ <li> Security team works with Apache Security Team to reserve a CVE
Identifier for future public release
+ <li> Security team works with appropriate code maintainer(s) to create
patch to mitigate the issue
+ <li> Testing is conducted to verify patch mitigates issue and does not
cause regression errors
+ <li> Security team creates a vulnerability announcement
+ <li> Patch is committed to trunk and other supported branches that are
affected. The commit should not refer to a particular vulnerability.
+ <li> A new CloudStack release or hotfix is prepared and tested, containing
the new security patch.
+ <li> Distributor coordination is implemented to enable a coordinated
announcement.
+ <li> Security team posts vulnerability announcement to...
+ <ul>
+ <li> CloudStack dev list
+ <li> CloudStack users list
+ <li> CloudStack Security alerts web page
+ <li> The Bugtraq mailing list
+ </ul>
+ <li> After announcement, CHANGES and NEWS files need to be updated to
reflect the vulnerability and fix. This must happen AFTER the announcement.
+ <li> Also after announcement, modify the Jira ticket so that the issue is
now publicly viewable.
+ </ul>
+ <li> After the vulnerability is addressed, the CloudStack community should
review development processes to see how the community can minimize the chance
of similar vulnerabilities being introduced in the future.
+</ul>
### For further information
