Author: buildbot
Date: Mon Jun 3 22:17:01 2013
New Revision: 864271
Log:
Staging update by buildbot for cloudstack
Modified:
websites/staging/cloudstack/trunk/content/ (props changed)
websites/staging/cloudstack/trunk/content/security.html
Propchange: websites/staging/cloudstack/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Jun 3 22:17:01 2013
@@ -1 +1 @@
-1489198
+1489205
Modified: websites/staging/cloudstack/trunk/content/security.html
==============================================================================
--- websites/staging/cloudstack/trunk/content/security.html (original)
+++ websites/staging/cloudstack/trunk/content/security.html Mon Jun 3 22:17:01
2013
@@ -128,7 +128,7 @@
</div>
<div class="span9">
<p> <h2 id="apache-cloudstack-security">Apache CloudStack Security</h2>
-<p>The Apache CloudStack project understands that as a core infrastructure
project, the application security of Apache CloudStack is of critical
importance.</p>
+<p>The Apache CloudStack project understands that as a core infrastructure
project, the application security of Apache CloudStack is of critical
importance to the community and users.</p>
<h3 id="apache-cloudstack-security-team">Apache CloudStack Security Team</h3>
<p>The PMC has decided to create a "Security Team" for CloudStack. The
Security Team's charter is to manage the response to vulnerabilities reported
with Apache CloudStack. This includes communication with the report, issue
verification, issue correction, public communication creation, and vendor
coordination. The Security Team may ask assistance from other community
members to help verify or correct a reported issue.</p>
<p>Members of the PMC are eligible to join the security team, but lurking is
discouraged.</p>
@@ -139,29 +139,34 @@
<p>The security team asks that you <strong>please do not create
publicly-viewable JIRA tickets related to the issue</strong>. If validated, a
JIRA ticket with the security flag set will be created for tracking the issue
in a non-public manner.</p>
<h3 id="procedure-for-responding-to-potential-security-issues">Procedure for
Responding to Potential Security Issues</h3>
<ul>
-<li>Upon receiving notice of a potential security issue, a security team
member will create a bug to track the investigation, this bug must be flagged
as a security issue. Security flag should mean contents of ticket are not
visible to non-security team members</li>
-<li>Security team investigates the issue to confirm/deny the presence of a
vulnerability within CloudStack</li>
-<li>If the issue is determined not to be a vulnerability the reporter will be
notified and the issue will be closed as invalid.</li>
-<li>If issue is confirmed as a CloudStack vulnerability:
-<strong> Security team notifies the Apache Security team
-</strong> Security team assigns a risk rating to the vulnerability using the
Common Vulnerability Scoring System
-<strong> Security team works with reporter to get a chance to investigate and
mitigate the issue in a timely manner before public announcement. This should
be between 15-30 days, depending on the severity and complexity of the issue
-</strong> Security team works with Apache Security Team to reserve a CVE
Identifier for future public release
-<strong> Security team works with appropriate code maintainer(s) to create
patch to mitigate the issue
-</strong> Testing is conducted to verify patch mitigates issue and does not
cause regression errors
-<strong> Security team creates a vulnerability announcement
-</strong> Patch is committed to trunk and other supported branches that are
affected. The commit should not refer to a particular vulnerability.
-<strong> A new CloudStack release or hotfix is prepared and tested, containing
the new security patch.
-</strong> Distributor coordination is implemented to enable a coordinated
announcement.
-<strong> Security team posts vulnerability announcement to...
-<strong><em> CloudStack dev list
-</em></strong> CloudStack users list
-<strong><em> CloudStack Security alerts web page
-</em></strong> The Bugtraq mailing list
-</strong> After announcement, CHANGES and NEWS files need to be updated to
reflect the vulnerability and fix. This must happen AFTER the announcement.
-** Also after announcement, modify the Jira ticket so that the issue is now
publicly viewable.</li>
-<li>After the vulnerability is addressed, the CloudStack community should
review development processes to see how the community can minimize the chance
of similar vulnerabilities being introduced in the future.</li>
+ <li> Upon receiving notice of a potential security issue, a security team
member will create a bug to track the investigation, this bug must be flagged
as a security issue. Security flag should mean contents of ticket are not
visible to non-security team members
+ <li> Security team investigates the issue to confirm/deny the presence of a
vulnerability within CloudStack
+ <li> If the issue is determined not to be a vulnerability the reporter will
be notified and the issue will be closed as invalid.
+ <li> If issue is confirmed as a CloudStack vulnerability:
+ <ul>
+ <li> Security team notifies the Apache Security team
+ <li> Security team assigns a risk rating to the vulnerability using the
Common Vulnerability Scoring System
+ <li> Security team works with reporter to get a chance to investigate and
mitigate the issue in a timely manner before public announcement. This should
be between 15-30 days, depending on the severity and complexity of the issue
+ <li> Security team works with Apache Security Team to reserve a CVE
Identifier for future public release
+ <li> Security team works with appropriate code maintainer(s) to create
patch to mitigate the issue
+ <li> Testing is conducted to verify patch mitigates issue and does not
cause regression errors
+ <li> Security team creates a vulnerability announcement
+ <li> Patch is committed to trunk and other supported branches that are
affected. The commit should not refer to a particular vulnerability.
+ <li> A new CloudStack release or hotfix is prepared and tested, containing
the new security patch.
+ <li> Distributor coordination is implemented to enable a coordinated
announcement.
+ <li> Security team posts vulnerability announcement to...
+ <ul>
+ <li> CloudStack dev list
+ <li> CloudStack users list
+ <li> CloudStack Security alerts web page
+ <li> The Bugtraq mailing list
+ </ul>
+ <li> After announcement, CHANGES and NEWS files need to be updated to
reflect the vulnerability and fix. This must happen AFTER the announcement.
+ <li> Also after announcement, modify the Jira ticket so that the issue is
now publicly viewable.
+ </ul>
+ <li> After the vulnerability is addressed, the CloudStack community should
review development processes to see how the community can minimize the chance
of similar vulnerabilities being introduced in the future.
</ul>
+
<h3 id="for-further-information">For further information</h3>
<p>Further information about Apache CloudStack's security practices can be
found in the <a
href="https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+Security";>CloudStack
Security wiki page</a>.</p> </p>
</div>
