Difference between revisions of "Policies/Security Policy"

Jump to: navigation, search
(Try to document process)
(add missing step "Add advisory announcement the website")
Line 16: Line 16:
 
* Get a CVE https://github.com/RedHatProductSecurity/CVE-HOWTO
 
* Get a CVE https://github.com/RedHatProductSecurity/CVE-HOWTO
 
* Contact [https://mail.kde.org/mailman/listinfo/kde-security-preannounce kde-security-preannounce@kde.org] if we think it's important enough that binaries should be out the same moment of the security is disclosed to give distributors some heads up time
 
* Contact [https://mail.kde.org/mailman/listinfo/kde-security-preannounce kde-security-preannounce@kde.org] if we think it's important enough that binaries should be out the same moment of the security is disclosed to give distributors some heads up time
* issue security alert via [mailto:kde-announce@kde.org kde-announce@kde.org]
+
* Add advisory announcement the website
 +
** Check out svn+ssh://svn@svn.kde.org/home/kde/trunk/www/sites/www/info/security
 +
** Add new advisory as a txt file
 +
** Edit index.php to add link to the new advisory, commit
 +
* Issue security alert via [mailto:kde-announce@kde.org kde-announce@kde.org]
  
 
[[Category:Policies]]
 
[[Category:Policies]]

Revision as of 09:02, 1 August 2016

This policy describes how security related issues are handled after they have been reported to security@kde.org.

Issues that are brought to the attention of security@kde.org are handled discreetly. The issue will be verified and the author/maintainer of the affected code will usually be contacted. If the issue is indeed considered to be a problem the need for an immediate fix is assessed. The security team will also notify affected parties which are known to reuse the affected code.

If an immediate fix is not considered necessary a security alert is issued via kde-announce@kde.org.

If a fix is considered necessary, KDE release coordinators are contacted and KDE vendor packagers, Linux distributors and other prenotification mailing lists (including kde-security-preannounce@kde.org) are informed once a fix is available that has passed review on security@kde.org. We then give them a reasonable amount of time to prepare binary packages. After that time we issue a security alert via kde-announce@kde.org. Patches in source form and any available updated binaries are published at the same time.

All security alerts are published on http://www.kde.org/info/security/.

KDE developers that want to join security@kde.org can send a motivated request to security@kde.org. Applications will be evaluated on a case by case basis by the current members. The main criteria is the extent to which someone can be helpful in executing the security policy as described here. That includes a willingness not to disclose issues prematurely.

Process for the Security Team


Content is available under Creative Commons License SA 4.0 unless otherwise noted.