On Wed, 2 Dec 2020, Daniel P. Berrangé wrote:
> On Mon, Nov 30, 2020 at 07:19:07PM +0530, P J P wrote:
> > From: Prasad J Pandit <p...@fedoraproject.org>
> > 
> > We are about to introduce a qemu-security mailing list to report
> > and triage QEMU security issues.
> > 
> > Update the QEMU security process web page with new mailing list
> > and triage details.
> > 
> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> > ---
> >  contribute/security-process.md | 134 ++++++++++++++++++++-------------
> >  1 file changed, 80 insertions(+), 54 deletions(-)
> 
> > +* List members follow a **responsible disclosure** policy. Any non-public
> > +  information you share about security issues, is kept confidential within 
> > the
> > +  respective affiliated companies. Such information shall not be passed on 
> > to
> > +  any third parties, including Xen Security Project, without your prior
> > +  permission.
> 
> Why this explicit note about the Xen project ?  What if we decide to want
> a member of the Xen security team on the QEMU security mailing list so that
> we can collaborate on triage ?

Hi Daniel,

this is not an issue because the individual (probably me) of course
would not report anything to the Xen security team without prior
permission.

Also note that the Xen case is one of the easiest because the Xen
security policy gives full powers to the discoverer: the discoverer
chooses both when to disclose and to whom and the Xen security team will
abide.


> Perhaps
> 
>      Any non-public information you share about security issues, is kept
>      confidential between members of the QEMU security team, and a minimal
>      number of supporting staff in their affliated companies.  Information
>      will not be disclosed to other third party organizations/individuals
>      without prior permission from the reporter

Sounds good to me

Reply via email to