File: securityprocess.html

package info (click to toggle)
libvirt 5.6.0-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 240,844 kB
  • sloc: ansic: 584,521; xml: 176,725; sh: 9,912; python: 4,731; perl: 4,343; makefile: 3,321; ml: 465
file content (238 lines) | stat: -rw-r--r-- 9,729 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
  <!--
        This file is autogenerated from securityprocess.html.in
        Do not edit this file. Changes will be lost.
      -->
  <!--
        This page was generated at Tue Jul 30 02:04:26 UTC 2019.
      -->
  <head>
    <meta charset="UTF-8"/>
    <meta name="viewport" content="width=device-width, initial-scale=1"/>
    <link rel="stylesheet" type="text/css" href="main.css"/>
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"/>
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/>
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/>
    <link rel="manifest" href="/manifest.json"/>
    <meta name="theme-color" content="#ffffff"/>
    <title>libvirt: Security Process</title>
    <meta name="description" content="libvirt, virtualization, virtualization API"/>
    <script type="text/javascript" src="js/main.js">
      <!--// forces non-empty element-->
    </script>
  </head>
  <body onload="pageload()">
    <div id="body">
      <div id="content">
        <h1>Security Process</h1>
        <ul>
          <li>
            <a href="#reporting">Reporting security issues</a>
          </li>
          <li>
            <a href="#secnotice">Security notices</a>
          </li>
          <li>
            <a href="#seclist">Security team</a>
          </li>
          <li>
            <a href="#embargo">Publication embargo policy</a>
          </li>
          <li>
            <a href="#cve">CVE allocation</a>
          </li>
          <li>
            <a href="#branches">Branch fixing policy</a>
          </li>
        </ul>
        <p>
      The libvirt project believes in responsible disclosure of
      security problems, to allow vendors time to prepare and
      distribute patches for problems ahead of their publication.
      This page describes how the process works and how to report
      potential security issues.
    </p>
        <h2>
          <a id="reporting">Reporting security issues</a>
          <a class="headerlink" href="#reporting" title="Permalink to this headline">¶</a>
        </h2>
        <p>
      In the event that a bug in libvirt is found which is
      believed to have (potential) security implications there
      is a dedicated contact to which a bug report / notification
      should be directed. Send an email with as many details of
      the problem as possible (ideally with steps to reproduce)
      to the following email address:
    </p>
        <pre>
          <a href="mailto:libvirt-security@redhat.com">libvirt-security@redhat.com</a>
        </pre>
        <p>
      NB. while this email address is backed by a mailing list, it
      is invitation only and moderated for non-members. As such you
      will receive an auto-reply indicating the report is held for
      moderation. Postings by non-members will be approved by a
      moderator and the reporter copied on any replies.
    </p>
        <h2>
          <a id="secnotice">Security notices</a>
          <a class="headerlink" href="#secnotice" title="Permalink to this headline">¶</a>
        </h2>
        <p>
      Information for all historical security issues is maintained in
      machine parsable format in the
      <a href="https://libvirt.org/git/?p=libvirt-security-notice.git;a=log">libvirt-security-notice GIT repository</a> and
      <a href="https://security.libvirt.org">published online</a>
      in text, HTML and XML formats. Security notices are published
      on the <a href="https://libvirt.org/contact.html#email">libvirt-announce mailing list</a>
      when any embargo is lifted, or as soon as triaged if already
      public knowledge.
    </p>
        <h2>
          <a id="seclist">Security team</a>
          <a class="headerlink" href="#seclist" title="Permalink to this headline">¶</a>
        </h2>
        <p>
      The libvirt security team is made up of a subset of the libvirt
      core development team which covers the various distro maintainers
      of libvirt, along with nominated security engineers representing
      the various vendors who distribute libvirt. The team is responsible
      for analysing incoming reports from users to identify whether a
      security problem exists and its severity. It then works to produce
      a fix for all official stable branches of libvirt and co-ordinate
      embargo dates between vendors to allow simultaneous release of the
      fix by all affected parties.
    </p>
        <p>
      If you are a security representative of a vendor distributing
      libvirt and would like to join the security team, send an email
      to the afore-mentioned security address. Typically an existing
      member of the security team will have to vouch for your credentials
      before membership is approved. All members of the security team
      are <strong>required to respect the embargo policy</strong>
      described below.
    </p>
        <h2>
          <a id="embargo">Publication embargo policy</a>
          <a class="headerlink" href="#embargo" title="Permalink to this headline">¶</a>
        </h2>
        <p>
      The libvirt security team operates a policy of
      <a href="http://en.wikipedia.org/wiki/Responsible_disclosure">responsible disclosure</a>.
      As such any security issue reported, that is not already publicly disclosed
      elsewhere, will have an embargo date assigned. Members of the security team agree
      not to publicly disclose any details of the security issue until the embargo
      date expires.
    </p>
        <p>
      The general aim of the team is to have embargo dates which
      are two weeks or less in duration. If a problem is identified
      with a proposed patch for a security issue, requiring further
      investigation and bug fixing, the embargo clock may be restarted.
      In exceptional circumstances longer initial embargoes may be
      negotiated by mutual agreement between members of the security
      team and other relevant parties to the problem. Any such extended
      embargoes will aim to be at most one month in duration.
    </p>
        <h2>
          <a id="cve">CVE allocation</a>
          <a class="headerlink" href="#cve" title="Permalink to this headline">¶</a>
        </h2>
        <p>
      The libvirt security team will associate each security issue with
      a CVE number. The CVE numbers will usually be allocated by one of
      the vendor security engineers on the security team.
    </p>
        <h2>
          <a id="branches">Branch fixing policy</a>
          <a class="headerlink" href="#branches" title="Permalink to this headline">¶</a>
        </h2>
        <p>
      The libvirt community maintains one or more stable release branches
      at any given point in time. The security team will aim to publish
      fixes for GIT master (which will become the next major release) and
      each currently maintained stable release branch. The distro maintainers
      will be responsible for backporting the officially published fixes to
      other release branches where applicable.
    </p>
      </div>
    </div>
    <div id="nav">
      <div id="home">
        <a href="index.html">Home</a>
      </div>
      <div id="jumplinks">
        <ul>
          <li>
            <a href="downloads.html">Download</a>
          </li>
          <li>
            <a href="contribute.html">Contribute</a>
          </li>
          <li>
            <a href="docs.html">Docs</a>
          </li>
        </ul>
      </div>
      <div id="search">
        <form id="simplesearch" action="https://www.google.com/search" enctype="application/x-www-form-urlencoded" method="get">
          <div>
            <input id="searchsite" name="sitesearch" type="hidden" value="libvirt.org"/>
            <input id="searchq" name="q" type="text" size="12" value=""/>
            <input name="submit" type="submit" value="Go"/>
          </div>
        </form>
        <div id="advancedsearch">
          <span>
            <input type="radio" name="what" id="whatwebsite" checked="checked" value="website"/>
            <label for="whatwebsite">Website</label>
          </span>
          <span>
            <input type="radio" name="what" id="whatwiki" value="wiki"/>
            <label for="whatwiki">Wiki</label>
          </span>
          <span>
            <input type="radio" name="what" id="whatdevs" value="devs"/>
            <label for="whatdevs">Developers list</label>
          </span>
          <span>
            <input type="radio" name="what" id="whatusers" value="users"/>
            <label for="whatusers">Users list</label>
          </span>
        </div>
      </div>
    </div>
    <div id="footer">
      <div id="contact">
        <h3>Contact</h3>
        <ul>
          <li>
            <a href="contact.html#email">email</a>
          </li>
          <li>
            <a href="contact.html#irc">irc</a>
          </li>
        </ul>
      </div>
      <div id="community">
        <h3>Community</h3>
        <ul>
          <li>
            <a href="https://twitter.com/hashtag/libvirt">twitter</a>
          </li>
          <li>
            <a href="http://stackoverflow.com/questions/tagged/libvirt">stackoverflow</a>
          </li>
          <li>
            <a href="http://serverfault.com/questions/tagged/libvirt">serverfault</a>
          </li>
        </ul>
      </div>
      <div id="conduct">
            Participants in the libvirt project agree to abide by <a href="governance.html#codeofconduct">the project code of conduct</a></div>
      <br class="clear"/>
    </div>
  </body>
</html>