"Daniel P. Berrange" <berra...@redhat.com> writes: > On Tue, Apr 29, 2014 at 02:33:58PM +0200, Markus Armbruster wrote: >> Peter Maydell <peter.mayd...@linaro.org> writes: >> >> > On 29 April 2014 11:09, Michael S. Tsirkin <m...@redhat.com> wrote: >> >> Let's just make clear how to contact us securely, when to contact that >> >> list, and what we'll do with the info. I cobbled together the >> >> following: >> >> http://wiki.qemu.org/SecurityProcess >> > >> > Looks generally OK I guess. I'd drop the 'how to use pgp' section -- >> > anybody who cares will already know how to send us PGP email. >> >> The first paragraph under "How to Contact Us Securely" is fine, the rest >> seems redundant for readers familiar with PGP, yet hardly sufficient for >> the rest. >> >> One thing I like about Libvirt's Security Process page[*] is they give >> an idea on embargo duration. > > FWIW I picked the "2 weeks" length myself a completely arbitrary timeframe. > We haven't stuck to that strictly - we consider needs of each vulnerability > as it is triaged to determine the minimum practical embargo time. So think > of "2 weeks" as more of a guiding principal to show the world that we don't > believe in keeping issues under embargo for very long periods of time.
Pretty much the way I read it :) The point I care about is a commitment to getting fixes out quickly, making clear we're not going to abuse "responsible disclosure" to cover dragging of feet and deflecting blame.
