All of lore.kernel.org
 help / color / mirror / Atom feed
From: Thomas Huth <thuth@redhat.com>
To: Kashyap Chamarthy <kchamart@redhat.com>,
	qemu-devel@nongnu.org, qemu-security@nongnu.org
Cc: pbonzini@redhat.com, eblake@redhat.com, peter.maydell@linaro.org
Subject: Re: [PATCH v2 1/3] docs: rSTify "security-process" page; move it to QEMU Git
Date: Tue, 15 Mar 2022 13:47:38 +0100	[thread overview]
Message-ID: <89c85796-9853-e2fe-977b-2ab321c29af5@redhat.com> (raw)
In-Reply-To: <20220314104943.513593-2-kchamart@redhat.com>

On 14/03/2022 11.49, Kashyap Chamarthy wrote:
> This is based on Paolo's suggestion[1] that the 'security-process'[2]
> page being a candidate for docs/devel.
> 
> Converted from Markdown to rST using:
> 
>      $> pandoc -f markdown -t rst security-process.md \
>          -o security-process.rst
> 
> It's a 1-1 conversion (I double-checked to the best I could).  I've also
> checked that the hyperlinks work correctly post-conversion.
> 
> [1] https://lists.nongnu.org/archive/html/qemu-devel/2021-11/msg04002.html
> [2] https://www.qemu.org/contribute/security-process
> 
> Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
> Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>   docs/devel/index.rst            |   1 +
>   docs/devel/security-process.rst | 190 ++++++++++++++++++++++++++++++++
>   2 files changed, 191 insertions(+)
>   create mode 100644 docs/devel/security-process.rst
> 
> diff --git a/docs/devel/index.rst b/docs/devel/index.rst
> index afd937535e..424eff9294 100644
> --- a/docs/devel/index.rst
> +++ b/docs/devel/index.rst
> @@ -48,3 +48,4 @@ modifying QEMU's source code.
>      trivial-patches
>      submitting-a-patch
>      submitting-a-pull-request
> +   security-process
> diff --git a/docs/devel/security-process.rst b/docs/devel/security-process.rst
> new file mode 100644
> index 0000000000..cc1000fe43
> --- /dev/null
> +++ b/docs/devel/security-process.rst
> @@ -0,0 +1,190 @@
> +.. _security-process:
> +
> +Security Process
> +================
> +
> +Please report any suspected security issue in QEMU to the security
> +mailing list at:
> +
> +-  `<qemu-security@nongnu.org> <https://lists.nongnu.org/mailman/listinfo/qemu-security>`__
> +
> +To report an issue via `GPG <https://gnupg.org/>`__ encrypted email,
> +please send it to the Red Hat Product Security team at:
> +
> +-  `<secalert@redhat.com> <https://access.redhat.com/security/team/contact/#contact>`__
> +
> +**Note:** after the triage, encrypted issue details shall be sent to the
> +upstream ‘qemu-security’ mailing list for archival purposes.
> +
> +How to report an issue
> +----------------------
> +
> +-  Please include as many details as possible in the issue report. Ex:
> +
> +   -  QEMU version, upstream commit/tag
> +   -  Host & Guest architecture x86/Arm/PPC, 32/64 bit etc.
> +   -  Affected code area/snippets
> +   -  Stack traces, crash details
> +   -  Malicious inputs/reproducer steps etc.
> +   -  Any configurations/settings required to trigger the issue.
> +
> +-  Please share the QEMU command line used to invoke a guest VM.
> +
> +-  Please specify whom to acknowledge for reporting this issue.
> +
> +How we respond
> +~~~~~~~~~~~~~~
> +
> +-  Process of handling security issues comprises following steps:
> +
> +   0) **Acknowledge:**
> +
> +   -  A non-automated response email is sent to the reporter(s) to
> +      acknowledge the reception of the report. (*60 day’s counter starts
> +      here*)
> +
> +   1) **Triage:**
> +
> +   -  Examine the issue details and confirm whether the issue is genuine
> +   -  Validate if it can be misused for malicious purposes
> +   -  Determine its worst case impact and severity
> +      [Low/Moderate/Important/Critical]
> +
> +   2) **Response:**
> +
> +   -  Negotiate embargo timeline (if required, depending on severity)
> +   -  Request a `CVE <https://cveform.mitre.org/>`__ and open an
> +      upstream `bug <https://www.qemu.org/contribute/report-a-bug/>`__
> +   -  Create an upstream fix patch annotated with
> +
> +      -  CVE-ID
> +      -  Link to an upstream bugzilla
> +      -  Reported-by, Tested-by etc. tags
> +
> +   -  Once the patch is merged, close the upstream bug with a link to
> +      the commit
> +
> +      -  Fixed in:

There used to be a "<commit hash/link>" after that "Fixed in" on the 
original page, seems like you've lost that somewhere along the way?

Anyway, I'd like to hear from the security folks whether they are OK with 
moving this page to the main git repo, or whether it rather should stay in 
the qemu-web repo.

  Thomas



  reply	other threads:[~2022-03-15 12:49 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-14 10:49 [PATCH v2 0/3] rSTify a few more docs; move them to QEMU Git Kashyap Chamarthy
2022-03-14 10:49 ` [PATCH v2 1/3] docs: rSTify "security-process" page; move it " Kashyap Chamarthy
2022-03-15 12:47   ` Thomas Huth [this message]
2022-03-15 13:42     ` Kashyap Chamarthy
2022-03-14 10:49 ` [PATCH v2 2/3] docs: rSTify MailingLists wiki; " Kashyap Chamarthy
2022-03-14 13:45   ` Philippe Mathieu-Daudé
2022-03-14 15:10     ` Kashyap Chamarthy
2022-03-15 13:25   ` Thomas Huth
2022-03-15 16:00     ` Kashyap Chamarthy
2022-03-15 16:12       ` Peter Maydell
2022-03-21  9:55         ` Kashyap Chamarthy
2022-03-21 11:01           ` Peter Maydell
2022-03-21 11:18             ` Kashyap Chamarthy
2022-03-14 10:49 ` [PATCH v2 3/3] docs: rSTify GettingStartedDevelopers " Kashyap Chamarthy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=89c85796-9853-e2fe-977b-2ab321c29af5@redhat.com \
    --to=thuth@redhat.com \
    --cc=eblake@redhat.com \
    --cc=kchamart@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-security@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.