Hello Dan,
+-- On Wed, 2 Dec 2020, Daniel P. Berrangé wrote --+
| > + - If issue is found to be less severe, an upstream public bug (or an
| > + issue) will be created immediately.
|
| No need to repeat "or an issue". I think it would read more clearly as
|
| - If the severity of the issue is sufficiently low, an upstream public bug
| may be created immediately.
Okay.
| > + - If issue is found to be severe, an embargo process below is followed,
| > + and public bug (or an issue) will be opened at the end of the set
| > + embargo period.
|
| - If the severity of the issue requires co-ordinated disclosure at a future
| date, then the embargo process below is followed, and public bug will be
| opened at the end of the set embargo period.
Okay.
| Somewhere around here is probably a good place to link to:
|
| https://www.qemu.org/docs/master/system/security.html
|
| which describes why we'll consider some things to be not security issues
Towards the end, there's a section about 'How impact & severity of an issue
is decided', above link will fit in there good I think.
| > -If a security issue is reported that is not already publicly disclosed, an
| > -embargo date may be assigned and communicated to the reporter. Embargo
| > -periods will be negotiated by mutual agreement between members of the
security
| > -team and other relevant parties to the problem. Members of the security
contact
| > -list agree not to publicly disclose any details of the security issue until
| > -the embargo date expires.
| > +* If a security issue is reported that is not already public and is severe
| > + enough, an embargo date may be assigned and communicated to the
| > + reporter(s).
|
|
| * If a security issue is reported that is not already public and its
| severity requires coordinated disclosure, an embargo date may be
| assigned and communicated to the reporter(s).
...
| "The preferred embargo period will be upto 2 weeks, however, longer
| embargoes can be negotiated if the severity of the issues requires it."
Okay, will add above changes.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
