Hi Volker, A few comments - I wrote the original policy and I'm happy that you're taking the time to evolve it:
> In addition, we have also been discussing a few aspects in The Qt Company > where we would like to see the policy evolve, such as: > > * the integration of CVE handling into the process of disclosing > vulnerabilities > At the time of writing, getting a CVE was difficult as a result of bottlenecks within the issuing process (see https://lwn.net/Articles/679315/ for background). These issues have now been resolved so I agree they should be assigned. It may also be worth considering including a CVSS score. > * the documentation of security-relevant software engineering processes > that The Qt Company operates today, such as external code audits or > fuzzing; evolving such processes should be part of the discussion > At the time of writing, these activities were not present. I'd be happy to look at details of them and discuss. If we're going to then there should also be some consideration made towards threat modelling and the development of a loosely formalised SDLC. > * reviewing the way the core security team is operating > Indeed. Cheers Rich > > > See https://bugreports.qt.io/browse/QTWEBSITE-860 for details. I’d be > very happy about all contributions. > > Note that for the moment, the scope of this continues to be Qt itself, > rather than surrounding infrastructure and processes. > > > Cheers, > Volker > > [1] https://wiki.qt.io/Qt_Project_Security_Policy > > > _______________________________________________ > Development mailing list > Development@qt-project.org > https://lists.qt-project.org/listinfo/development >
_______________________________________________ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
