Re: [libvirt] [PATCH] Document security reporting & handling process

On 06/04/2013 09:33 AM, Eric Blake wrote: > On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: >> From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; >> >> Historically security issues in libvirt have been primarily >> triaged & fixed by the Red Hat libvirt members & Red Hat >> security team, who then usually notify other vendors via >> appropriate channels. There have been a number of times >> when vendors have not been properly notified ahead of >> announcement. It has also disadvantaged community members >> who have to backport fixes to releases for which there are >> no current libvirt stable branches. >> >> To address this, we want to make the libvirt security process >> entirely community focused / driven. To this end I have setup >> a new email address &quot;libvirt-security(a)redhat.com&quot; for end >> users to report bugs which have (possible) security implications. >> Document how to report security bugs and the process that >> will be used for addressing them. >> >> Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com&gt; >> --- >> docs/bugs.html.in | 12 +++++ >> docs/contact.html.in | 12 +++++ >> docs/securityprocess.html.in | 113 +++++++++++++++++++++++++++++++++++++++++++ >> docs/sitemap.html.in | 4 ++ >> 4 files changed, 141 insertions(+) >> create mode 100644 docs/securityprocess.html.in Did this ever get pushed? It should go in before 1.1.0 is released, particularly since we have already used this list to discuss CVE-2013-2218 (more details on Monday when embargo ends).