Policies/Security Policy: Difference between revisions

From KDE Community Wiki
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 16: Line 16:
* Get a CVE https://cveform.mitre.org/
* Get a CVE https://cveform.mitre.org/
* Contact [https://mail.kde.org/mailman/listinfo/kde-security-preannounce [email protected]] if we think it's important enough that binaries should be out the same moment of the security is disclosed to give distributors some heads up time
* Contact [https://mail.kde.org/mailman/listinfo/kde-security-preannounce [email protected]] if we think it's important enough that binaries should be out the same moment of the security is disclosed to give distributors some heads up time
* Agree on an advisory text with the developers and ideally the reporter
* Add advisory announcement the website
* Add advisory announcement the website
** Check out svn+ssh://svn@svn.kde.org/home/kde/trunk/www/sites/www/info/security
** Check out git@invent.kde.org:websites/kde-org.git
** Add new advisory as a txt file
** Add new advisory as a txt file in ./content/info/security
** Edit index.php to add link to the new advisory, commit
** Edit ./content/info/security/index.md to add link to the new advisory, commit and push (or create an MR)
* Issue security alert via [mailto:[email protected] [email protected]]
* Issue security alert via [mailto:[email protected] [email protected]]
* Email reporter to make sure she knows the advisory is out


[[Category:Policies]]
[[Category:Policies]]

Latest revision as of 22:17, 18 March 2024

This policy describes how security related issues are handled after they have been reported to [email protected].

Issues that are brought to the attention of [email protected] are handled discreetly. The issue will be verified and the author/maintainer of the affected code will usually be contacted. If the issue is indeed considered to be a problem the need for an immediate fix is assessed. The security team will also notify affected parties which are known to reuse the affected code.

If an immediate fix is not considered necessary a security alert is issued via [email protected].

If a fix is considered necessary, KDE release coordinators are contacted and KDE vendor packagers, Linux distributors and other prenotification mailing lists (including [email protected]) are informed once a fix is available that has passed review on [email protected]. We then give them a reasonable amount of time to prepare binary packages. After that time we issue a security alert via [email protected]. Patches in source form and any available updated binaries are published at the same time.

All security alerts are published on http://www.kde.org/info/security/.

KDE developers that want to join [email protected] can send a motivated request to [email protected]. Applications will be evaluated on a case by case basis by the current members. The main criteria is the extent to which someone can be helpful in executing the security policy as described here. That includes a willingness not to disclose issues prematurely.

Process for the Security Team

  • Answer incoming e-mails as soon as possible so people know we are listening to their report
  • If needed contact people that know the code in question to get the fix done/checked
  • Get a CVE https://cveform.mitre.org/
  • Contact [email protected] if we think it's important enough that binaries should be out the same moment of the security is disclosed to give distributors some heads up time
  • Agree on an advisory text with the developers and ideally the reporter
  • Add advisory announcement the website
    • Check out [email protected]:websites/kde-org.git
    • Add new advisory as a txt file in ./content/info/security
    • Edit ./content/info/security/index.md to add link to the new advisory, commit and push (or create an MR)
  • Issue security alert via [email protected]
  • Email reporter to make sure she knows the advisory is out