Hello Konrad, all +-- On Tue, 1 Dec 2020, Konrad Rzeszutek Wilk wrote --+ | On Mon, Nov 30, 2020 at 07:19:07PM +0530, P J P wrote: | > We are about to introduce a qemu-security mailing list to report | > and triage QEMU security issues. | > Update the QEMU security process web page with new mailing list | > and triage details. | | Thank you for doing it! | Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com>
Thank you. | with one change below. | | > + - Request a CVE and open an upstream | > + [bug](https://bugs.launchpad.net/qemu/+bug/) | > + or a [GitLab](https://gitlab.com/groups/qemu-project/-/issues) issue | | You may want to clarify that this step in the process will not disclose the | details of the issue to the public. Yes, this is covered in the following process text and under publication embargo section: === + * We aim to process ... 60 days ... After the triaging step above + + - If issue is found to be less severe, an upstream public bug (or an + issue) will be created immediately. + - If issue is found to be severe, an embargo process below is followed, + and public bug (or an issue) will be opened at the end of the set + embargo period. ... +* Embargo periods will be negotiated by mutual agreement between reporter(s), + members of the security list and other relevant parties to the problem. + Such embargo period is generally upto [2 weeks] + +* Members of the security list agree not to publicly disclose any details of + an embargoed security issue until its embargo date expires. === Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D