From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Hajnoczi Subject: Re: [Qemu-devel] KVM call agenda for 2014-04-28 Date: Tue, 29 Apr 2014 15:05:58 +0200 Message-ID: References: <8738gxgary.fsf@elfo.mitica> <8761ltwjqt.fsf@blackfin.pond.sub.org> <20140429055124.GA12031@redhat.com> <20140429100948.GB15521@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Cc: Peter Maydell , Juan Quintela , Markus Armbruster , KVM devel mailing list , qemu list To: "Michael S. Tsirkin" Return-path: Received: from mail-ob0-f182.google.com ([209.85.214.182]:48199 "EHLO mail-ob0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751576AbaD2NF6 (ORCPT ); Tue, 29 Apr 2014 09:05:58 -0400 Received: by mail-ob0-f182.google.com with SMTP id uy5so180872obc.13 for ; Tue, 29 Apr 2014 06:05:58 -0700 (PDT) In-Reply-To: <20140429100948.GB15521@redhat.com> Sender: kvm-owner@vger.kernel.org List-ID: On Tue, Apr 29, 2014 at 12:09 PM, Michael S. Tsirkin wrote: > On Tue, Apr 29, 2014 at 09:56:19AM +0100, Peter Maydell wrote: >> On 29 April 2014 06:51, Michael S. Tsirkin wrote: >> > If not too late, I'd like to discuss our security process. >> > Do we as the project generally agree to use responsible disclosure policy >> > http://en.wikipedia.org/wiki/Responsible_disclosure ? >> >> I think something like that makes sense. I'm a bit wary that >> we write up some complicated policy that we're not then >> in practice capable of executing given our level of resources. >> We should certainly write out some documentation though... >> >> thanks >> -- PMM > > I didn't have anything complex in mind. > > Let's just make clear how to contact us securely, when to contact that > list, and what we'll do with the info. I cobbled together the > following: > http://wiki.qemu.org/SecurityProcess Looks good. Responsible disclosure plus who to contact should be enough to help people report security issues properly. Stefan