On Mon, Nov 30, 2020 at 07:19:07PM +0530, P J P wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > > We are about to introduce a qemu-security mailing list to report > and triage QEMU security issues. > > Update the QEMU security process web page with new mailing list > and triage details. > > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
Thank you for doing it! Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com> with one change below. > --- > contribute/security-process.md | 134 ++++++++++++++++++++------------- > 1 file changed, 80 insertions(+), 54 deletions(-) > > Update v1: incorporate feedback from review to include more details > -> https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg06234.html > > diff --git a/contribute/security-process.md b/contribute/security-process.md > index 1239967..fe1bc8b 100644 > --- a/contribute/security-process.md > +++ b/contribute/security-process.md > @@ -3,43 +3,70 @@ title: Security Process > permalink: /contribute/security-process/ > --- > > -QEMU takes security very seriously, and we aim to take immediate action to > -address serious security-related problems that involve our product. > - > -Please report any suspected security vulnerability in QEMU to the following > -addresses. You can use GPG keys for respective receipients to communicate > with > -us securely. If you do, please upload your GPG public key or supply it to us > -in some other way, so that we can communicate to you in a secure way, too! > -Please include the tag **\[QEMU-SECURITY\]** on the subject line to help us > -identify your message as security-related. > - > -## QEMU Security Contact List > - > -Please copy everyone on this list: > - > - Contact Person(s) | Contact Address | Company | GPG > Key | GPG key fingerprint > -:-----------------------|:------------------------------|:--------------|:---------:|:-------------------- > - Michael S. Tsirkin | m...@redhat.com | Red Hat Inc. | > [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xC3503912AFBE8E67) > | 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 > - Petr Matousek | pmato...@redhat.com | Red Hat Inc. > | > [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3E786F42C44977CA) > | 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA > - Stefano Stabellini | sstabell...@kernel.org | Independent | > [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x894F8F4870E1AE90) > | D04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90 > - Security Response Team | secal...@redhat.com | Red Hat Inc. > | [🔑](https://access.redhat.com/site/security/team/contact/#contact) | > - Michael Roth | michael.r...@amd.com | AMD | > [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584) > | CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584 > - Prasad J Pandit | p...@redhat.com | Red Hat Inc. | > [🔑](http://pool.sks-keyservers.net/pks/lookup?op=vindex&search=0xE2858B5AF050DE8D) > | 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D > - > -## How to Contact Us Securely > - > -We use GNU Privacy Guard (GnuPG or GPG) keys to secure communications. Mail > -sent to members of the list can be encrypted with public keys of all members > -of the list. We expect to change some of the keys we use from time to time. > -Should a key change, the previous one will be revoked. > - > -## How we respond > - > -Maintainers listed on the security reporting list operate a policy of > -responsible disclosure. As such they agree that any information you share > with > -them about security issues that are not public knowledge is kept confidential > -within respective affiliated companies. It is not passed on to any > third-party, > -including Xen Security Project, without your permission. > +Please report any suspected security issue in QEMU to the security mailing > +list at: > + > +* > [\<qemu-secur...@nongnu.org\>](https://lists.gnu.org/archive/html/qemu-security/) > + > +To report an issue via [GPG](https://gnupg.org/) encrypted email, please send > +it to the Red Hat Product Security team at: > + > +* > [\<secal...@redhat.com\>](https://access.redhat.com/security/team/contact/#contact) > + > +**Note:** after the triage, encrypted issue details shall be sent to the > upstream > +'qemu-security' mailing list for archival purposes. > + > +## How to report an issue: > + > +* Please include as many details as possible in the issue report. > + Ex: > + - QEMU version, upstream commit/tag > + - Host & Guest architecture x86/Arm/PPC, 32/64 bit etc. > + - Affected code area/snippets > + - Stack traces, crash details > + - Malicious inputs/reproducer steps etc. > + - Any configurations/settings required to trigger the issue. > + > +* Please share the QEMU command line used to invoke a guest VM. > + > +* Please specify whom to acknowledge for reporting this issue. > + > +## How we respond: > + > +* Process of handling security issues can be divided in two halves. > + > + 1) **Triage:** > + - Examine the issue details and confirm whether the issue is genuine > + - Validate if it can be misused for malicious purposes > + - Determine its worst case impact and severity > + [Low/Moderate/Important/Critical] > + > + 2) **Response:** > + - Negotiate embargo timeline (if required, depending on severity) > + - Request a CVE and open an upstream > + [bug](https://bugs.launchpad.net/qemu/+bug/) > + or a [GitLab](https://gitlab.com/groups/qemu-project/-/issues) issue You may want to clarify that this step in the process will not disclose the details of the issue to the public.