Hi Prasad, On 11/30/20 2:49 PM, P J P wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > ... > +## How we respond: > + > +* Process of handling security issues can be divided in two halves. > +
Maybe: 0) **Acknowledge reception** - A non-automated response email is sent to acknowledge the reception of the request. This is the starting date for the maximum **60 days** required to process the issue, including bullets 1) and 2). > + 1) **Triage:** > + - Examine the issue details and confirm whether the issue is genuine > + - Validate if it can be misused for malicious purposes > + - Determine its worst case impact and severity > + [Low/Moderate/Important/Critical] > + > + 2) **Response:** > + - Negotiate embargo timeline (if required, depending on severity) > + - Request a CVE and open an upstream > + [bug](https://bugs.launchpad.net/qemu/+bug/) > + or a [GitLab](https://gitlab.com/groups/qemu-project/-/issues) issue > + - Create an upstream fix patch with the proper Buglink/CVE/Reported-by tags. - Participate in the review process until the patch is merged. Test the fix updates with the private reproducer if required. - Close the upstream [bug] with 'Fix released', including the commit SHA-1 of the fix. > + > +* Above security lists are operated by select analysts, maintainers and/or > + representatives from downstream communities. > + > +* List members follow a **responsible disclosure** policy. Any non-public > + information you share about security issues, is kept confidential within > the > + respective affiliated companies. Such information shall not be passed on to > + any third parties, including Xen Security Project, without your prior > + permission. > + > +* We aim to process security issues within maximum of **60 days**. That is > not > + to say that issues will remain private for 60 days, nope. After the > triaging > + step above > + - If issue is found to be less severe, an upstream public bug (or an > + issue) will be created immediately. > + - If issue is found to be severe, an embargo process below is followed, > + and public bug (or an issue) will be opened at the end of the set > + embargo period. > + > + This will allow upstream contributors to create, test and track fix > patch(es). > > Email sent to us is read and acknowledged with a non-automated response. For > issues that are complicated and require significant attention, we will open > an ^^^ You can remove that, as now covered by bullet 0). Regards, Phil.